OESA-2025-2003

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

net: allow small head cache usage with large MAXSKBFRAGS values

Sabrina reported the following splat:

WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0
Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48
RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e
RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6
RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c
R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168
R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
gro_cells_init+0x1ba/0x270
xfrm_input_init+0x4b/0x2a0
xfrm_init+0x38/0x50
ip_rt_init+0x2d7/0x350
ip_init+0xf/0x20
inet_init+0x406/0x590
do_one_initcall+0x9d/0x2e0
do_initcalls+0x23b/0x280
kernel_init_freeable+0x445/0x490
kernel_init+0x20/0x1d0
ret_from_fork+0x46/0x80
ret_from_fork_asm+0x1a/0x30
</TASK>
irq event stamp: 584330
hardirqs last  enabled at (584338): [<ffffffff8168bf87>] __up_console_sem+0x77/0xb0
hardirqs last disabled at (584345): [<ffffffff8168bf6c>] __up_console_sem+0x5c/0xb0
softirqs last  enabled at (583242): [<ffffffff833ee96d>] netlink_insert+0x14d/0x470
softirqs last disabled at (583754): [<ffffffff8317c8cd>] netif_napi_add_weight_locked+0x77d/0xba0

on kernel built with MAXSKBFRAGS=45, where SKBWITHOVERHEAD(1024) is smaller than GROMAXHEAD.

Such built additionally contains the revert of the single page frag cache so that napigetfrags() ends up using the page frag allocator, triggering the splat.

Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napiallocskb() and _netdevalloc_skb() to select kmalloc() usage for any allocation fitting such cache.(CVE-2025-21868)

In the Linux kernel, the following vulnerability has been resolved:

atm: Fix NULL pointer dereference

When MPOAcacheimposrcvd() receives the msg, it can trigger Null Pointer Dereference Vulnerability if both entry and holdingtime are NULL. Because there is only for the situation where entry is NULL and holdingtime exists, it can be passed when both entry and holdingtime are NULL. If these are NULL, the entry will be passd to egcacheput() as parameter and it is referenced by entry->use code in it.

kasan log:

[ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102 [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 3.319298] RIP: 0010:egcacheremoveentry+0xa5/0x470 [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 [ 3.326430] Call Trace: [ 3.326725] <TASK> [ 3.326927] ? dieaddr+0x3c/0xa0 [ 3.327330] ? excgeneralprotection+0x161/0x2a0 [ 3.327662] ? asmexcgeneralprotection+0x26/0x30 [ 3.328214] ? vprintkemit+0x15e/0x420 [ 3.328543] ? egcacheremoveentry+0xa5/0x470 [ 3.328910] ? egcacheremoveentry+0x9a/0x470 [ 3.329294] ? pfxegcacheremoveentry+0x10/0x10 [ 3.329664] ? consoleunlock+0x107/0x1d0 [ 3.329946] ? _pfxconsoleunlock+0x10/0x10 [ 3.330283] ? dosyscall64+0xa6/0x1a0 [ 3.330584] ? entrySYSCALL64afterhwframe+0x47/0x7f [ 3.331090] ? _pfxprbreadvalid+0x10/0x10 [ 3.331395] ? downtrylock+0x52/0x80 [ 3.331703] ? vprintkemit+0x15e/0x420 [ 3.331986] ? _pfxvprintkemit+0x10/0x10 [ 3.332279] ? downtrylock+0x52/0x80 [ 3.332527] ? printk+0xbf/0x100 [ 3.332762] ? _pfxprintk+0x10/0x10 [ 3.333007] ? rawwritelockirq+0x81/0xe0 [ 3.333284] ? pfxrawwritelockirq+0x10/0x10 [ 3.333614] msgfrommpoad+0x1185/0x2750 [ 3.333893] ? buildskbaround+0x27b/0x3a0 [ 3.334183] ? _pfxmsgfrommpoad+0x10/0x10 [ 3.334501] ? _allocskb+0x1c0/0x310 [ 3.334809] ? _pfxallocskb+0x10/0x10 [ 3.335283] ? rawspinlock+0xe0/0xe0 [ 3.335632] ? finishwait+0x8d/0x1e0 [ 3.335975] vccsendmsg+0x684/0xba0 [ 3.336250] ? pfxvccsendmsg+0x10/0x10 [ 3.336587] ? _pfxautoremovewakefunction+0x10/0x10 [ 3.337056] ? fdget+0x176/0x3e0 [ 3.337348] _syssendto+0x4a2/0x510 [ 3.337663] ? _pfxsyssendto+0x10/0x10 [ 3.337969] ? ioctlhasperm.constprop.0.isra.0+0x284/0x400 [ 3.338364] ? sockioctl+0x1bb/0x5a0 [ 3.338653] ? rseqhandlenotifyresume+0x825/0xd20 [ 3.339017] ? _pfxsockioctl+0x10/0x10 [ 3.339316] ? _pfxrseqhandlenotifyresume+0x10/0x10 [ 3.339727] ? selinuxfileioctl+0xa4/0x260 [ 3.340166] _x64syssendto+0xe0/0x1c0 [ 3.340526] ? syscallexittousermode+0x123/0x140 [ 3.340898] dosyscall64+0xa6/0x1a0 [ 3.341170] entrySYSCALL64after_hwframe+0x77/0x7f [ 3.341533] RIP: 0033:0x44a380 [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00 [
---truncated---(CVE-2025-22018)

In the Linux kernel, the following vulnerability has been resolved:

rtnetlink: Allocate vfinfo size for VF GUIDs when supported

Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs") added support for getting VF port and node GUIDs in netlink ifinfo messages, but their size was not taken into consideration in the function that allocates the netlink message, causing the following warning when a netlink message is filled with many VF port and node GUIDs: # echo 64 > /sys/bus/pci/devices/0000\:08\:00.0/sriov_numvfs # ip link show dev ib0 RTNETLINK answers: Message too long Cannot send link get request: Message too long

Kernel warning:

------------[ cut here ]------------ WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnlgetlink+0x586/0x5a0 Modules linked in: xtconntrack xtMASQUERADE nfnetlink xtaddrtype iptablenat nfnat brnetfilter overlay mlx5ib macsec mlx5core tls rpcrdma rdmaucm ibuverbs ibiser libiscsi scsitransportiscsi ibumad rdmacm iwcm ibipoib fuse ibcm ibcore CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rtnlgetlink+0x586/0x5a0 Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ffff888113557348 EFLAGS: 00010246 RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8 RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000 R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00 R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? warn+0xa5/0x230 ? rtnlgetlink+0x586/0x5a0 ? reportbug+0x22d/0x240 ? handlebug+0x53/0xa0 ? excinvalidop+0x14/0x50 ? asmexcinvalidop+0x16/0x20 ? skbtrim+0x6a/0x80 ? rtnlgetlink+0x586/0x5a0 ? _pfxrtnlgetlink+0x10/0x10 ? rtnetlinkrcvmsg+0x1e5/0x860 ? _pfxmutexlock+0x10/0x10 ? rcuiswatching+0x34/0x60 ? pfxlockacquire+0x10/0x10 ? stacktracesave+0x90/0xd0 ? filterirqstacks+0x1d/0x70 ? kasansavestack+0x30/0x40 ? kasansavestack+0x20/0x40 ? kasansavetrack+0x10/0x30 rtnetlinkrcvmsg+0x21c/0x860 ? entrySYSCALL64afterhwframe+0x76/0x7e ? _pfxrtnetlinkrcvmsg+0x10/0x10 ? archstackwalk+0x9e/0xf0 ? rcuiswatching+0x34/0x60 ? lockacquire+0xd5/0x410 ? rcuiswatching+0x34/0x60 netlinkrcvskb+0xe0/0x210 ? _pfxrtnetlinkrcvmsg+0x10/0x10 ? _pfxnetlinkrcvskb+0x10/0x10 ? rcuiswatching+0x34/0x60 ? _pfxnetlinklookup+0x10/0x10 ? lockrelease+0x62/0x200 ? netlinkdelivertap+0xfd/0x290 ? rcuiswatching+0x34/0x60 ? lockrelease+0x62/0x200 ? netlinkdelivertap+0x95/0x290 netlinkunicast+0x31f/0x480 ? pfxnetlinkunicast+0x10/0x10 ? rcuiswatching+0x34/0x60 ? lockacquire+0xd5/0x410 netlinksendmsg+0x369/0x660 ? lockrelease+0x62/0x200 ? _pfxnetlinksendmsg+0x10/0x10 ? importubuf+0xb9/0xf0 ? _importiovec+0x254/0x2b0 ? lockrelease+0x62/0x200 ? _pfxnetlinksendmsg+0x10/0x10 _syssendmsg+0x559/0x5a0 ? pfxsyssendmsg+0x10/0x10 ? _pfxcopymsghdrfromuser+0x10/0x10 ? rcuiswatching+0x34/0x60 ? doreadfault+0x213/0x4a0 ? rcuiswatching+0x34/0x60 syssendmsg+0xe4/0x150 ? pfxsyssendmsg+0x10/0x10 ? dofault+0x2cc/0x6f0 ? handleptefault+0x2e3/0x3d0 ? _pfxhandleptefault+0x10/0x10 ---truncated---(CVE-2025-22075)

In the Linux kernel, the following vulnerability has been resolved:

posix-cpu-timers: fix race between handleposixcputimers() and posixcputimerdel()

If an exiting non-autoreaping task has already passed exitnotify() and calls handleposixcputimers() from IRQ, it can be reaped by its parent or debugger right after unlocktasksighand().

If a concurrent posixcputimerdel() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cputimertaskrcu() and/or locktasksighand() will fail.

Add the tsk->exitstate check into runposixcputimers() to fix this.

This fix is not needed if CONFIGPOSIXCPUTIMERSTASKWORK=y, because exittaskwork() is called before exitnotify(). But the check still makes sense, taskworkadd(&tsk->posixcputimerswork.work) will fail anyway in this case.(CVE-2025-38352)