The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

usb: atm: cxacru: fix a flaw in existing endpoint checks

Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")).

While using usbfindcommon_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well.

Since cxacrubind() fills URBs with CXACRUEPCMD address in mind, switch the endpoint verification approach to usbcheckXXXendpoints() instead to fix incomplete ep testing.

[1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usbsubmiturb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usbsubmiturb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacrucm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacrucardstatus drivers/usb/atm/cxacru.c:760 [inline] cxacrubind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatmusbprobe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacruusbprobe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usbprobeinterface+0x641/0xbb0 drivers/usb/core/driver.c:396 reallyprobe+0x2b9/0xad0 drivers/base/dd.c:658 _driverprobedevice+0x1a2/0x390 drivers/base/dd.c:800 driverprobedevice+0x50/0x430 drivers/base/dd.c:830 ...(CVE-2025-21916)

In the Linux kernel, the following vulnerability has been resolved:

drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl

In the "pmcmdioctl" function, three memory objects allocated by kmalloc are initialized by "hcallgetcpustate", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of information leakage due to uninitialized bytes.(CVE-2025-21950)

In the Linux kernel, the following vulnerability has been resolved:

backlight: ledbl: Hold ledaccess lock when calling ledsysfsdisable()

Lockdep detects the following issue on led-backlight removal: [ 142.315935] ------------[ cut here ]------------ [ 142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 ledsysfsenable+0x54/0x80 ... [ 142.500725] Call trace: [ 142.503176] ledsysfsenable+0x54/0x80 (P) [ 142.507370] ledblremove+0x80/0xa8 [ledbl] [ 142.511742] platformremove+0x30/0x58 [ 142.515501] device_remove+0x54/0x90 ...

Indeed, ledsysfsenable() has to be called with the led_access lock held.

Hold the lock when calling ledsysfsdisable().(CVE-2025-23144)

In the Linux kernel, the following vulnerability has been resolved:

jfs: Fix uninit-value access of imap allocated in the diMount() function

syzbot reports that hexdumpto_buffer is using uninit-value:

===================================================== BUG: KMSAN: uninit-value in hexdumptobuffer+0x888/0x1100 lib/hexdump.c:171 hexdumptobuffer+0x888/0x1100 lib/hexdump.c:171 printhexdump+0x13d/0x3e0 lib/hexdump.c:276 diFree+0x5ba/0x4350 fs/jfs/jfsimap.c:876 jfsevictinode+0x510/0x550 fs/jfs/inode.c:156 evict+0x723/0xd10 fs/inode.c:796 iputfinal fs/inode.c:1946 [inline] iput+0x97b/0xdb0 fs/inode.c:1972 txUpdateMap+0xf3e/0x1150 fs/jfs/jfstxnmgr.c:2367 txLazyCommit fs/jfs/jfstxnmgr.c:2664 [inline] jfslazycommit+0x627/0x11d0 fs/jfs/jfstxnmgr.c:2733 kthread+0x6b9/0xef0 kernel/kthread.c:464 retfromfork+0x6d/0x90 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244

Uninit was created at: slabpostallochook mm/slub.c:4121 [inline] slaballocnode mm/slub.c:4164 [inline] _kmalloccachenoprof+0x8e3/0xdf0 mm/slub.c:4320 kmallocnoprof include/linux/slab.h:901 [inline] diMount+0x61/0x7f0 fs/jfs/jfsimap.c:105 jfsmount+0xa8e/0x11d0 fs/jfs/jfsmount.c:176 jfsfillsuper+0xa47/0x17c0 fs/jfs/super.c:523 gettreebdevflags+0x6ec/0x910 fs/super.c:1636 gettreebdev+0x37/0x50 fs/super.c:1659 jfsgettree+0x34/0x40 fs/jfs/super.c:635 vfsgettree+0xb1/0x5a0 fs/super.c:1814 donewmount+0x71f/0x15e0 fs/namespace.c:3560 pathmount+0x742/0x1f10 fs/namespace.c:3887 domount fs/namespace.c:3900 [inline] _dosysmount fs/namespace.c:4111 [inline] _sesysmount+0x71f/0x800 fs/namespace.c:4088 _x64sysmount+0xe4/0x150 fs/namespace.c:4088 x64syscall+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls64.h:166 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83

entrySYSCALL64afterhwframe+0x77/0x7f

The reason is that imap is not properly initialized after memory allocation. It will cause the snprintf() function to write uninitialized data into linebuf within hexdumpto_buffer().

Fix this by using kzalloc instead of kmalloc to clear its content at the beginning in diMount().(CVE-2025-37742)

In the Linux kernel, the following vulnerability has been resolved:

net: libwx: handle pagepooldevallocpages error

pagepooldevallocpages could return NULL. There was a WARN_ON(!page) but it would still proceed to use the NULL pointer and then crash.

This is similar to commit 001ba0902046 ("net: fec: handle pagepooldevallocpages error").

This is found by our static analysis tool KNighter.(CVE-2025-37755)

In the Linux kernel, the following vulnerability has been resolved:

vmxnet3: Fix malformed packet sizing in vmxnet3processxdp

vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes).

We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for some of the packets (e.g. HTTP GET request) while others (e.g. the prior TCP 3WHS) looked completely fine on the wire.

In fact, the pcap recording on the backend node actually revealed that the node with the XDP LB was leaking uninitialized kernel data onto the wire for the affected packets, for example, while the packets should have been 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes was padded with whatever other data was in that page at the time (e.g. we saw user/payload data from prior processed packets).

We only noticed this through an MTU issue, e.g. when the XDP LB node and the backend node both had the same MTU (e.g. 1500) then the curl request got dropped on the backend node's NIC given the packet was too large even though the IPIP-encapped packet normally would never even come close to the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let the curl request succeed (which also indicates that the kernel ignored the padding, and thus the issue wasn't very user-visible).

Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager to also switch xdppreparebuff() from rcd->len to rbi->len. It really needs to stick to rcd->len which is the actual packet length from the descriptor. The latter we also feed into vmxnet3processxdpsmall(), by the way, and it indicates the correct length needed to initialize the xdp->{data,dataend} parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the relevant part was adapting xdpinitbuff() to address the warning given the xdpdatahardend() depends on xdp->framesz. With that fixed, traffic on the wire looks good again.(CVE-2025-37799)

In the Linux kernel, the following vulnerability has been resolved:

usb: chipidea: cihdrcimx: fix usbmisc handling

usbmisc is an optional device property so it is totally valid for the corresponding data->usbmisc_data to have a NULL value.

Check that before dereferencing the pointer.

Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool.(CVE-2025-37811)

In the Linux kernel, the following vulnerability has been resolved:

sfc: fix NULL dereferences in ef100processdesign_param()

Since cited commit, ef100probemain() and hence also ef100checkdesignparams() run before efx->netdev is created; consequently, we cannot netifsettsomaxsize() or segs() at this point. Move those netif calls to ef100probenetdev(), and also replace netiferr within the design params code with pci_err.(CVE-2025-37860)