OESA-2025-2311

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

net/tls: fix kernel panic when alloc_page failed

We cannot set fraglist to NULL pointer when allocpage failed. It will be used in tlsstrpcheckqueueok when the next time tlsstrpread_sock is called.

This is because we don't reset fulllen in tlsstrpflushanchorcopy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset fulllen.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tlsstrpcheckrcv+0x128/0x27c tlsstrpdataready+0x34/0x44 tlsdataready+0x3c/0x1f0 tcpdataready+0x9c/0xe4 tcpdataqueue+0xf6c/0x12d0 tcprcvestablished+0x52c/0x798(CVE-2025-38018)

In the Linux kernel, the following vulnerability has been resolved:

calipso: Don't call calipso functions for AF_INET sk.

syzkaller reported a null-ptr-deref in txopt_get(). [0]

The offset 0x70 was of struct ipv6txoptions in struct ipv6pinfo, so struct ipv6_pinfo was NULL there.

However, this never happens for IPv6 sockets as inetsk(sk)->pinet6 is always set in inet6create(), meaning the socket was not IPv6 one.

The root cause is missing validation in netlblconnsetattr().

netlblconnsetattr() switches branches based on struct sockaddr.safamily, which is passed from userspace. However, netlblconn_setattr() does not check if the address family matches the socket.

The syzkaller must have called connect() for an IPv6 address on an IPv4 socket.

We have a proper validation in tcpv[46]connect(), but securitysocketconnect() is called in the earlier stage.

Let's copy the validation to netlblconnsetattr().

KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txoptget include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <TASK> calipsosocksetattr+0x56/0x80 net/netlabel/netlabelcalipso.c:557 netlblconnsetattr+0x10c/0x280 net/netlabel/netlabelkapi.c:1177 selinuxnetlblsocketconnecthelper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinuxnetlblsocketconnectlocked security/selinux/netlabel.c:597 [inline] selinuxnetlblsocketconnect+0xb6/0x100 security/selinux/netlabel.c:615 selinuxsocketconnect+0x5f/0x80 security/selinux/hooks.c:4931 securitysocketconnect+0x50/0xa0 security/security.c:4598 _sysconnectfile+0xa4/0x190 net/socket.c:2067 _sysconnect+0x12c/0x170 net/socket.c:2088 _dosysconnect net/socket.c:2098 [inline] _sesysconnect net/socket.c:2095 [inline] _x64sysconnect+0x73/0xb0 net/socket.c:2095 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xaa/0x1b0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 </TASK> Modules linked in:(CVE-2025-38147)

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: qcom: msm: mark certain pins as invalid for interrupts

On some platforms, the UFS-reset pin has no interrupt logic in TLMM but is nevertheless registered as a GPIO in the kernel. This enables the user-space to trigger a BUG() in the pinctrl-msm driver by running, for example: gpiomon -c 0 113 on RB2.

The exact culprit is requesting pins whose intrdetectionwidth setting is not 1 or 2 for interrupts. This hits a BUG() in msmgpioirqsettype(). Potentially crashing the kernel due to an invalid request from user-space is not optimal, so let's go through the pins and mark those that would fail the check as invalid for the irq chip as we should not even register them as available irqs.

This function can be extended if we determine that there are more corner-cases like this.(CVE-2025-38516)

In the Linux kernel, the following vulnerability has been resolved:

hv_netvsc: Fix panic during namespace deletion with VF

The existing code move the VF NIC to new namespace when NETDEVREGISTER is received on netvsc NIC. During deletion of the namespace, defaultdeviceexitbatch() >> defaultdeviceexitnet() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the defaultdeviceexitnet() >> foreachnetdev_safe loop unable to detect the list end, and hit NULL ptr:

[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: errorcode(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanupnet [ 231.452947] RIP: 0010:defaultdeviceexitbatch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] opsundolist+0x100/0x220 [ 231.459015] cleanupnet+0x1b8/0x300 [ 231.459285] processonework+0x184/0x340

To fix it, move the ns change to a workqueue, and take rtnllock to avoid changing the netdev list when defaultdeviceexitnet() is using it.(CVE-2025-38683)

In the Linux kernel, the following vulnerability has been resolved:

pNFS: Fix uninited ptr deref in block/scsi layout

The error occurs on the third attempt to encode extents. When function exttreepreparecommit() reallocates a larger buffer to retry encoding extents, the "layoutupdatepages" page array is initialized only after the retry loop. But exttreefree_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers.

An additional problem is that there is no limit on the maximum possible buffer_size. When there are too many extents, the client may create a layoutcommit that is larger than the maximum possible RPC size accepted by the server.

During testing, we observed two typical scenarios. First, one memory page for extents is enough when we work with small files, append data to the end of the file, or preallocate extents before writing. But when we fill a new large file without preallocating, the number of extents can be huge, and counting the number of written extents in exttreeencodecommit() does not help much. Since this number increases even more between unlocking and locking of exttree, the reallocated buffer may not be large enough again and again.(CVE-2025-38691)

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-frontends: w7090p: fix null-ptr-deref in w7090ptunerwriteserpar and w7090ptunerreadserpar

In w7090ptunerwrite_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash.

Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027i2cxfer()")(CVE-2025-38693)

In the Linux kernel, the following vulnerability has been resolved:

gfs2: Validate i_depth for exhash directories

A fuzzer test introduced corruption that ends up with a depth of 0 in direread(), causing an undefined shift by 32 at:

index = hash >> (32 - dip->i_depth);

As calculated in an open-coded way in dirmakeexhash(), the minimum depth for an exhash directory is ilog2(sdp->sdhashptrs) and 0 is invalid as sdp->sdhashptrs is fixed as sdp->bsize / 16 at mount time.

So we can avoid the undefined behaviour by checking for depth values lower than the minimum in gfs2dinodein(). Values greater than the maximum are already being checked for there.

Also switch the calculation in dirmakeexhash() to use ilog2() to clarify how the depth is calculated.

Tested with the syzkaller repro.c and xfstests '-g quick'.(CVE-2025-38710)

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Fix jump offset calculation in tailcall

The extra pass of bpfintjitcompile() skips JIT context initialization which essentially skips offset calculation leaving outoffset = -1, so the jmpoffset in emitbpftailcall is calculated by

"#define jmpoffset (outoffset - (cur_offset))"

is a negative number, which is wrong. The final generated assembly are as follow.

54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c

Before apply this patch, the follow test case will reveal soft lock issues.

cd tools/testing/selftests/bpf/ ./testprogs --allow=tailcalls/tailcallbpf2bpf_1

dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! test_progs:25056

In the Linux kernel, the following vulnerability has been resolved:

nfsd: handle getclientlocked() failure in nfsd4setclientidconfirm()

Lei Lu recently reported that nfsd4setclientidconfirm() did not check the return value from getclientlocked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF.

Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all.

In the case where the unconfirmed client is expiring, just fail and return the result from getclientlocked().(CVE-2025-38724)