The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

vpvdpa: fix the crash in hot unplug with vpvdpa

While unplugging the vpvdpa device, it triggers a kernel panic The root cause is: vdpamgmtdevunregister() will accesses modern devices which will cause a use after free. So need to change the sequence in vpvdpa_remove

[ 195.003359] BUG: unable to handle page fault for address: ff4e8beb80199014 [ 195.004012] #PF: supervisor read access in kernel mode [ 195.004486] #PF: errorcode(0x0000) - not-present page [ 195.004960] PGD 100000067 P4D 1001b6067 PUD 1001b7067 PMD 1001b8067 PTE 0 [ 195.005578] Oops: 0000 1 PREEMPT SMP PTI [ 195.005968] CPU: 13 PID: 164 Comm: kworker/u56:10 Kdump: loaded Not tainted 5.14.0-252.el9.x8664 #1 [ 195.006792] Hardware name: Red Hat KVM/RHEL, BIOS edk2-20221207gitfff6d81270b5-2.el9 unknown [ 195.007556] Workqueue: kacpihotplug acpihotplugworkfn [ 195.008059] RIP: 0010:ioread8+0x31/0x80 [ 195.008418] Code: 77 28 48 81 ff 00 00 01 00 76 0b 89 fa ec 0f b6 c0 c3 cc cc cc cc 8b 15 ad 72 93 01 b8 ff 00 00 00 85 d2 75 0f c3 cc cc cc cc <8a> 07 0f b6 c0 c3 cc cc cc cc 83 ea 01 48 83 ec 08 48 89 fe 48 c7 [ 195.010104] RSP: 0018:ff4e8beb8067bab8 EFLAGS: 00010292 [ 195.010584] RAX: ffffffffc05834a0 RBX: ffffffffc05843c0 RCX: ff4e8beb8067bae0 [ 195.011233] RDX: ff1bcbd580f88000 RSI: 0000000000000246 RDI: ff4e8beb80199014 [ 195.011881] RBP: ff1bcbd587e39000 R08: ffffffff916fa2d0 R09: ff4e8beb8067ba68 [ 195.012527] R10: 000000000000001c R11: 0000000000000000 R12: ff1bcbd5a3de9120 [ 195.013179] R13: ffffffffc062d000 R14: 0000000000000080 R15: ff1bcbe402bc7805 [ 195.013826] FS: 0000000000000000(0000) GS:ff1bcbe402740000(0000) knlGS:0000000000000000 [ 195.014564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 195.015093] CR2: ff4e8beb80199014 CR3: 0000000107dea002 CR4: 0000000000771ee0 [ 195.015741] PKRU: 55555554 [ 195.016001] Call Trace: [ 195.016233] <TASK> [ 195.016434] vpmoderngetstatus+0x12/0x20 [ 195.016823] vpvdpareset+0x1b/0x50 [vpvdpa] [ 195.017238] virtiovdpareset+0x3c/0x48 [virtiovdpa] [ 195.017709] removevqcommon+0x1f/0x3a0 [virtionet] [ 195.018178] virtnetremove+0x5d/0x70 [virtionet] [ 195.018618] virtiodevremove+0x3d/0x90 [ 195.018986] devicereleasedriverinternal+0x1aa/0x230 [ 195.019466] busremovedevice+0xd8/0x150 [ 195.019841] devicedel+0x18b/0x3f0 [ 195.020167] ? kernfsfindns+0x35/0xd0 [ 195.020526] deviceunregister+0x13/0x60 [ 195.020894] unregistervirtiodevice+0x11/0x20 [ 195.021311] devicereleasedriverinternal+0x1aa/0x230 [ 195.021790] busremovedevice+0xd8/0x150 [ 195.022162] devicedel+0x18b/0x3f0 [ 195.022487] deviceunregister+0x13/0x60 [ 195.022852] ? vdpadevremove+0x30/0x30 [vdpa] [ 195.023270] vpvdpadevdel+0x12/0x20 [vpvdpa] [ 195.023694] vdpamatchremove+0x2b/0x40 [vdpa] [ 195.024115] busforeachdev+0x78/0xc0 [ 195.024471] vdpamgmtdevunregister+0x65/0x80 [vdpa] [ 195.024937] vpvdparemove+0x23/0x40 [vpvdpa] [ 195.025353] pcideviceremove+0x36/0xa0 [ 195.025719] devicereleasedriverinternal+0x1aa/0x230 [ 195.026201] pcistopbusdevice+0x6c/0x90 [ 195.026580] pcistopandremovebusdevice+0xe/0x20 [ 195.027039] disableslot+0x49/0x90 [ 195.027366] acpiphpdisableandejectslot+0x15/0x90 [ 195.027832] hotplugevent+0xea/0x210 [ 195.028171] ? hotplugevent+0x210/0x210 [ 195.028535] acpiphphotplugnotify+0x22/0x80 [ 195.028942] ? hotplugevent+0x210/0x210 [ 195.029303] acpidevicehotplug+0x8a/0x1d0 [ 195.029690] acpihotplugworkfn+0x1a/0x30 [ 195.030077] processonework+0x1e8/0x3c0 [ 195.030451] workerthread+0x50/0x3b0 [ 195.030791] ? rescuerthread+0x3a0/0x3a0 [ 195.031165] kthread+0xd9/0x100 [ 195.031459] ? kthreadcompleteandexit+0x20/0x20 [ 195.031899] retfrom_fork+0x22/0x30 [ 195.032233] </TASK>(CVE-2023-53082)

In the Linux kernel, the following vulnerability has been resolved:

soc: samsung: exynos-chipid: Add NULL pointer check in exynoschipidprobe()

socdevattr->revision could be NULL, thus, a pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_ptp.c").

This issue is found by our static analysis tool.(CVE-2025-23148)

In the Linux kernel, the following vulnerability has been resolved:

media: venus: hfi_parser: refactor hfi packet parsing logic

wordscount denotes the number of words in total payload, while data points to payload of various property within it. When wordscount reaches last word, data can access memory beyond the total payload. This can lead to OOB access. With this patch, the utility api for handling individual properties now returns the size of data consumed. Accordingly remaining bytes are calculated before parsing the payload, thereby eliminates the OOB access possibilities.(CVE-2025-23156)

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix oob write in traceseqto_buffer()

syzbot reported this bug:

BUG: KASAN: slab-out-of-bounds in traceseqtobuffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracingsplicereadpipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260

CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xc3/0x670 mm/kasan/report.c:521 kasanreport+0xe0/0x110 mm/kasan/report.c:634 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0xef/0x1a0 mm/kasan/generic.c:189 _asanmemcpy+0x3c/0x60 mm/kasan/shadow.c:106 traceseqtobuffer kernel/trace/trace.c:1830 [inline] tracingsplicereadpipe+0x6be/0xdd0 kernel/trace/trace.c:6822

....

It has been reported that traceseqtobuffer() tries to copy more data than PAGESIZE to buf. Therefore, to prevent this, we should use the smaller of traceseqused(&iter->seq) and PAGE_SIZE as an argument.(CVE-2025-37923)

In the Linux kernel, the following vulnerability has been resolved:

module: ensure that kobject_put() is safe for module type kobjects

In 'lookuporcreatemodulekobject()', an internal kobject is created using 'modulektype'. So call to 'kobjectput()' on error handling path causes an attempt to use an uninitialized completion pointer in 'modulekobjectrelease()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.(CVE-2025-37995)