OESA-2025-2059

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

powerpc/xive/spapr: correct bitmap allocation size

kasan detects access beyond the end of the xibm->bitmap allocation:

BUG: KASAN: slab-out-of-bounds in findfirstzerobit+0x40/0x140 Read of size 8 at addr c00000001d1d0118 by task swapper/0/1

CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc2-00001-g90df023b36dd #28 Call Trace: [c00000001d98f770] [c0000000012baab8] dumpstacklvl+0xac/0x108 (unreliable) [c00000001d98f7b0] [c00000000068faac] printreport+0x37c/0x710 [c00000001d98f880] [c0000000006902c0] kasanreport+0x110/0x354 [c00000001d98f950] [c000000000692324] _asanload8+0xa4/0xe0 [c00000001d98f970] [c0000000011c6ed0] findfirstzerobit+0x40/0x140 [c00000001d98f9b0] [c0000000000dbfbc] xivespaprgetipi+0xcc/0x260 [c00000001d98fa70] [c0000000000d6d28] xivesetupcpuipi+0x1e8/0x450 [c00000001d98fb30] [c000000004032a20] pSeriessmpprobe+0x5c/0x118 [c00000001d98fb60] [c000000004018b44] smppreparecpus+0x944/0x9ac [c00000001d98fc90] [c000000004009f9c] kernelinitfreeable+0x2d4/0x640 [c00000001d98fd90] [c0000000000131e8] kernelinit+0x28/0x1d0 [c00000001d98fe10] [c00000000000cd54] retfromkernelthread+0x5c/0x64

Allocated by task 0: kasansavestack+0x34/0x70 _kasankmalloc+0xb4/0xf0 _kmalloc+0x268/0x540 xivespaprinit+0x4d0/0x77c pseriesinitirq+0x40/0x27c initIRQ+0x44/0x84 startkernel+0x2a4/0x538 starthere_common+0x1c/0x20

The buggy address belongs to the object at c00000001d1d0118 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of 8-byte region [c00000001d1d0118, c00000001d1d0120)

The buggy address belongs to the physical page: page:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d flags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff) raw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480 raw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >c00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc ^ c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc

This happens because the allocation uses the wrong unit (bits) when it should pass (BITSTOLONGS(count) * sizeof(long)) or equivalent. With small numbers of bits, the allocated object can be smaller than sizeof(long), which results in invalid accesses.

Use bitmapzalloc() to allocate and initialize the irq bitmap, paired with bitmapfree() for consistency.(CVE-2022-49623)

In the Linux kernel, the following vulnerability has been resolved:

wifi: at76c50x: fix use after free access in at76_disconnect

The memory pointed to by priv is freed at the end of at76deletedevice function (using ieee80211freehw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface.(CVE-2025-37796)

In the Linux kernel, the following vulnerability has been resolved:

codel: remove sch->q.qlen check before qdisctreereduce_backlog()

After making all ->qlennotify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fqcodeldequeue() and codelqdisc_dequeue().(CVE-2025-37798)

In the Linux kernel, the following vulnerability has been resolved:

net_sched: qfq: Fix double list add in class with netem as child qdisc

As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption.

This patch checks whether the class was already added to the agg->active list (clisactive) before doing the addition to cater for the reentrant case.

[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/(CVE-2025-37913)

In the Linux kernel, the following vulnerability has been resolved:

net: atm: fix /proc/net/atm/lec handling

/proc/net/atm/lec must ensure safety against dev_lec[] changes.

It appears it had devput() calls without prior devhold(), leading to imbalance and UAF.(CVE-2025-38180)

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System).CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch d3ed1d84a84538a39b3eb2055d6a97a936c108f2/fcda39a9c5b834346088c14b1374336b079466c1/a262370f385e53ff7470efdcdaf40468e5756717/a47d9d9895bad9ce0e840a39836f19ca0b2a343a/4f15ee98304b96e164ff2340e1dfd6181c3f42aa is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38495)

A vulnerability classified as problematic was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System).The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.As an impact it is known to affect confidentiality.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch ff30dd3f15f443d2a0085b12ec2cc95d44f35fa7/955e8835855fed8e87f7d8c8075564a1746c1b4c/e0f3c0867d7d231c70984f05c97752caacd0daba/43ddd82e6a91913cea1c078e782afd8de60c3a53/66acb1586737a22dd7b78abc63213b1bcaa100e4 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38529)