The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix null-ptr-deref in blocktouchbuffer tracepoint

Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints".

This series fixes null pointer dereference bugs that occur when using nilfs2 and two block-related tracepoints.

This patch (of 2):

It has been reported that when using "block:blocktouchbuffer" tracepoint, touchbuffer() called from _nilfsgetfolio_block() causes a NULL pointer dereference, or a general protection fault when KASAN is enabled.

This happens because since the tracepoint was added in touchbuffer(), it references the devt member bh->bbdev->bddev regardless of whether the buffer head has a pointer to a blockdevice structure. In the current implementation, the blockdevice structure is set after the function returns to the caller.

Here, touchbuffer() is used to mark the folio/page that owns the buffer head as accessed, but the common search helper for folio/page used by the caller function was optimized to mark the folio/page as accessed when it was reimplemented a long time ago, eliminating the need to call touchbuffer() here in the first place.

So this solves the issue by eliminating the touch_buffer() call itself.(CVE-2024-53131)

In the Linux kernel, the following vulnerability has been resolved:drm: adv7511: Fix use-after-free in adv7533attachdsi()The hostnode pointer was assigned and freed in adv7533parsedt(), andlater, adv7533attachdsi() uses the same. Fix this use-after-free issueby dropping ofnodeput() in adv7533parsedt() and calling ofnode_put()in error path of probe() and also in the remove().(CVE-2024-57887)

In the Linux kernel, the following vulnerability has been resolved:ila: serialize calls to nfregisternethooks()syzbot found a race in ilaaddmapping() [1]commit 031ae72825ce ( ila: call nfunregisternethooks() sooner )attempted to fix a similar issue.Looking at the syzbot repro, we have concurrent ILACMDADD commands.Add a mutex to make sure at most one thread is calling nfregisternethooks().[1] BUG: KASAN: slab-use-after-free in rhtkeyhashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in _rhashtablelookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024Call Trace: <IRQ> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xc3/0x620 mm/kasan/report.c:489 kasanreport+0xd9/0x110 mm/kasan/report.c:602 rhtkeyhashfn include/linux/rhashtable.h:159 [inline] _rhashtablelookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtablelookup include/linux/rhashtable.h:646 [inline] rhashtablelookupfast include/linux/rhashtable.h:672 [inline] ilalookupwildcards net/ipv6/ila/ilaxlat.c:127 [inline] ilaxlataddr net/ipv6/ila/ilaxlat.c:652 [inline] ilanfinput+0x1ee/0x620 net/ipv6/ila/ilaxlat.c:185 nfhookentryhookfn include/linux/netfilter.h:154 [inline] nfhookslow+0xbb/0x200 net/netfilter/core.c:626 nfhook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NFHOOK include/linux/netfilter.h:312 [inline] ipv6rcv+0xa4/0x680 net/ipv6/ip6input.c:309 _netifreceiveskbonecore+0x12e/0x1e0 net/core/dev.c:5672 _netifreceiveskb+0x1d/0x160 net/core/dev.c:5785 processbacklog+0x443/0x15f0 net/core/dev.c:6117 _napipoll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napipoll net/core/dev.c:6952 [inline] netrxaction+0xa94/0x1010 net/core/dev.c:7074 handlesoftirqs+0x213/0x8f0 kernel/softirq.c:561 _dosoftirq kernel/softirq.c:595 [inline] invokesoftirq kernel/softirq.c:435 [inline] _irqexitrcu+0x109/0x170 kernel/softirq.c:662 irqexitrcu+0x9/0x30 kernel/softirq.c:678 instrsysvecapictimerinterrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvecapictimerinterrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049(CVE-2024-57900)

In the Linux kernel, the following vulnerability has been resolved:

jfs: add check read-only before txBeginAnon() call

Added a read-only check before calling txBeginAnon in extAlloc and extRecord. This prevents modification attempts on a read-only mounted filesystem, avoiding potential errors or crashes.

Call trace: txBeginAnon+0xac/0x154 extAlloc+0xe8/0xdec fs/jfs/jfsextent.c:78 jfsgetblock+0x340/0xb98 fs/jfs/inode.c:248 _blockwritebeginint+0x580/0x166c fs/buffer.c:2128 _blockwritebegin fs/buffer.c:2177 [inline] blockwritebegin+0x98/0x11c fs/buffer.c:2236 jfswritebegin+0x44/0x88 fs/jfs/inode.c:299(CVE-2024-58095)

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in smb2_lock

If smblock->zerolen has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine.(CVE-2025-21945)

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix slab-use-after-free on hdcp_work

[Why] A slab-use-after-free is reported when HDCP is destroyed but the propertyvalidatedwork queue is still running.

[How] Cancel the delayed work when destroying workqueue.

(cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128)(CVE-2025-21968)

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Apply the link chain quirk on NEC isoc endpoints

Two clearly different specimens of NEC uPD720200 (one with start/stop bug, one without) were seen to cause IOMMU faults after some Missed Service Errors. Faulting address is immediately after a transfer ring segment and patched dynamic debug messages revealed that the MSE was received when waiting for a TD near the end of that segment:

[ 1.041954] xhcihcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0 [ 1.042120] xhcihcd: AMD-Vi: Event logged [IOPAGEFAULT domain=0x0005 address=0xffa09000 flags=0x0000] [ 1.042146] xhcihcd: AMD-Vi: Event logged [IOPAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]

It gets even funnier if the next page is a ring segment accessible to the HC. Below, it reports MSE in segment at ff1e8000, plows through a zero-filled page at ff1e9000 and starts reporting events for TRBs in page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.

[ 7.041671] xhcihcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0 [ 7.041999] xhcihcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0 [ 7.042011] xhcihcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042028] xhcihcd: All TDs skipped for slot 1 ep 2. Clear skip flag. [ 7.042134] xhcihcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042138] xhcihcd: ERROR Transfer event TRB DMA ptr not part of current TD epindex 2 compcode 31 [ 7.042144] xhcihcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.042259] xhcihcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042262] xhcihcd: ERROR Transfer event TRB DMA ptr not part of current TD epindex 2 compcode 31 [ 7.042266] xhcihcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820

At some point completion events change from Isoch Buffer Overrun to Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.

[ 7.098130] xhcihcd: ERROR Transfer event TRB DMA ptr not part of current TD epindex 2 compcode 13 [ 7.098132] xhcihcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098254] xhcihcd: ERROR Transfer event TRB DMA ptr not part of current TD epindex 2 compcode 13 [ 7.098256] xhcihcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2

It's possible that data from the isochronous device were written to random buffers of pending TDs on other endpoints (either IN or OUT), other devices or even other HCs in the same IOMMU domain.

Lastly, an error from a different USB device on another HC. Was it caused by the above? I don't know, but it may have been. The disk was working without any other issues and generated PCIe traffic to starve the NEC of upstream BW and trigger those MSEs. The two HCs shared one x1 slot by means of a commercial "PCIe splitter" board.

[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhcihcd [ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVEROK cmdage=0s [ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00 [ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 physseg 5 prio class 0

Fortunately, it appears that this ridiculous bug is avoided by setting the chain bit of Link TRBs on isochronous rings. Other ancient HCs are known which also expect the bit to be set and they ignore Link TRBs if it's not. Reportedly, 0.95 spec guaranteed that the bit is set.

The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports tens of MSEs per second and runs into the bug within seconds. Chaining Link TRBs allows the same workload to run for many minutes, many times.

No ne ---truncated---(CVE-2025-22022)

In the Linux kernel, the following vulnerability has been resolved:

nfsd: put dlstid if fail to queue dlrecall

Before calling nfsd4runcb to queue dlrecall to the callbackwq, we increment the reference count of dlstid. We expect that after the corresponding workstruct is processed, the reference count of dlstid will be decremented through the callback function nfsd4cbrecallrelease. However, if the call to nfsd4runcb fails, the incremented reference count of dlstid will not be decremented correspondingly, leading to the following nfs4stid leak: unreferenced object 0xffff88812067b578 (size 344): comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s) hex dump (first 32 bytes): 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........ 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N.. backtrace: kmemcachealloc+0x4b9/0x700 nfsd4processopen1+0x34/0x300 nfsd4open+0x2d1/0x9d0 nfsd4proccompound+0x7a2/0xe30 nfsddispatch+0x241/0x3e0 svcprocesscommon+0x5d3/0xcc0 svcprocess+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 retfromfork+0x30/0x50 retfromforkasm+0x1b/0x30 unreferenced object 0xffff8881499f4d28 (size 368): comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I.... 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... ....... backtrace: kmemcachealloc+0x4b9/0x700 nfs4allocstid+0x29/0x210 allocinitdeleg+0x92/0x2e0 nfs4setdelegation+0x284/0xc00 nfs4opendelegation+0x216/0x3f0 nfsd4processopen2+0x2b3/0xee0 nfsd4open+0x770/0x9d0 nfsd4proccompound+0x7a2/0xe30 nfsddispatch+0x241/0x3e0 svcprocesscommon+0x5d3/0xcc0 svcprocess+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 retfromfork+0x30/0x50 retfromforkasm+0x1b/0x30 Fix it by checking the result of nfsd4runcb and call nfs4putstid if fail to queue dl_recall.(CVE-2025-22025)

In the Linux kernel, the following vulnerability has been resolved:

nfsd: don't ignore the return code of svcprocregister()

Currently, nfsdprocstatinit() ignores the return value of svcproc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later.

Fix nfsdprocstatinit() to return the same type of pointer as svcprocregister(), and fix up nfsdnetinit() to check that and fail the nfsdnet construction if it occurs.

svcprocregister() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM.(CVE-2025-22026)

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix overflow in dacloffset bounds check

The dacloffset field was originally typed as int and used in an unchecked addition, which could overflow and bypass the existing bounds check in both smbcheckpermdacl() and smbinherit_dacl().

This could result in out-of-bounds memory access and a kernel crash when dereferencing the DACL pointer.

This patch converts dacloffset to unsigned int and uses checkaddoverflow() to validate access to the DACL.(CVE-2025-22039)

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: add bounds check for create lease context

Add missing bounds check for create lease context.(CVE-2025-22042)

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: add bounds check for durable handle context

Add missing bounds check for durable handle context.(CVE-2025-22043)

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: update channel list in reg notifier instead reg worker

Currently when ath11k gets a new channel list, it will be processed according to the following steps: 1. update new channel list to cfg80211 and queue regwork. 2. cfg80211 handles new channel list during regwork. 3. update cfg80211's handled channel list to firmware by ath11kregupdatechanlist().

But ath11k will immediately execute step 3 after regwork is just queued. Since step 2 is asynchronous, cfg80211 may not have completed handling the new channel list, which may leading to an out-of-bounds write error: BUG: KASAN: slab-out-of-bounds in ath11kregupdatechanlist Call Trace: ath11kregupdatechanlist+0xbfe/0xfe0 [ath11k] kfree+0x109/0x3a0 ath11kregdupdate+0x1cf/0x350 [ath11k] ath11kregdupdatework+0x14/0x20 [ath11k] processonework+0xe35/0x14c0

Should ensure step 2 is completely done before executing step 3. Thus Wen raised patch[1]. When flag NL80211REGDOMSETBYDRIVER is set, cfg80211 will notify ath11k after step 2 is done.

So enable the flag NL80211REGDOMSETBYDRIVER then cfg80211 will notify ath11k after step 2 is done. At this time, there will be no KASAN bug during the execution of the step 3.

[1] https://patchwork.kernel.org/project/linux-wireless/patch/(CVE-2025-23133)

In the Linux kernel, the following vulnerability has been resolved:

riscv: uprobes: Add missing fence.i after building the XOL buffer

The XOL (execute out-of-line) buffer is used to single-step the replaced instruction(s) for uprobes. The RISC-V port was missing a proper fence.i (i$ flushing) after constructing the XOL buffer, which can result in incorrect execution of stale/broken instructions.

This was found running the BPF selftests "testprogs: uprobeautoattach, attach_probe" on the Spacemit K1/X60, where the uprobes tests randomly blew up.(CVE-2025-37822)

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue

When the task management thread processes reply queues while the reset thread resets them, the task management thread accesses an invalid queue ID (0xFFFF), set by the reset thread, which points to unallocated memory, causing a crash.

Add flag 'ioadminreset_sync' to synchronize access between the reset, I/O, and admin threads. Before a reset, the reset handler sets this flag to block I/O and admin processing threads. If any thread bypasses the initial check, the reset thread waits up to 10 seconds for processing to finish. If the wait exceeds 10 seconds, the controller is marked as unrecoverable.(CVE-2025-37861)

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in session logoff

The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2sesssetup function which makes use of sess->user.(CVE-2025-37899)

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation

Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211defragmle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer.

To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset.(CVE-2025-37973)

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: ucsi: displayport: Fix NULL pointer access

This patch ensures that the UCSI driver waits for all pending tasks in the ucsidisplayportwork workqueue to finish executing before proceeding with the partner removal.(CVE-2025-37994)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: fix region locking in hash types

Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahashbucketstart(), ahashbucketend() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts.(CVE-2025-37997)

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: ti: k3-udma: Add missing locking

Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled:

[ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udmastart.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udmachecktxcompletion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udmastart.isra.0+0x34/0x238 [ 4.165227] lr : udmastart.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udmastart.isra.0+0x34/0x238 [ 4.251509] udmachecktxcompletion+0xd0/0xdc [ 4.256076] processonework+0x244/0x3fc [ 4.260129] processscheduledworks+0x6c/0x74 [ 4.264610] workerthread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] retfromfork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [<ffffffc080a27c7c>] _rawspinunlockirq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [<ffffffc080a1c154>] el1dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [<ffffffc080037e68>] handlesoftirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [<ffffffc080010170>] _dosoftirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]---

This commit adds the missing locking.(CVE-2025-38005)

In the Linux kernel, the following vulnerability has been resolved:

_legitimizemnt(): check for MNTSYNCUMOUNT should be under mount_lock

... or we risk stealing final mntput from sync umount - raising mntcount after umount(2) has verified that victim is not busy, but before it has set MNTSYNCUMOUNT; in that case _legitimizemnt() doesn't see that it's safe to quietly undo mntcount increment and leaves dropping the reference to caller, where it'll be a full-blown mntput().

Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with.(CVE-2025-38058)

In the Linux kernel, the following vulnerability has been resolved:

x86/mm: Check return value from memblockphysalloc_range()

At least with CONFIGPHYSICALSTART=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblockphysallocrange() returns 0 on failure, which leads memblockphys_free() to throw the first 4 MiB of physical memory to the wolves.

At a minimum it should fail gracefully with a meaningful diagnostic, but in fact everything seems to work fine without the weird reserve allocation.(CVE-2025-38071)

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix ECVF vports unload on shutdown flow

Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed.

ECVF functionality is independent of ecpfvportexists capability and thus functions mlx5eswitch(enable|disable)pfvf_vports() should not test it when enabling/disabling ECVF vports.

kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28

refcountwarnsaturate+0x124/0x220

[] Call trace: [] refcountwarnsaturate+0x124/0x220 [] treeputnode+0x164/0x1e0 [mlx5core] [] mlx5destroyflowtable+0x98/0x2c0 [mlx5core] [] eswaclingresstabledestroy+0x28/0x40 [mlx5core] [] eswaclingresslgcycleanup+0x80/0xf4 [mlx5core] [] eswlegacyvportaclcleanup+0x44/0x60 [mlx5core] [] eswvportcleanup+0x64/0x90 [mlx5core] [] mlx5eswvportdisable+0xc0/0x1d0 [mlx5core] [] mlx5eswitchunloadecvfvports+0xcc/0x150 [mlx5core] [] mlx5eswitchdisablesriov+0x198/0x2a0 [mlx5core] [] mlx5devicedisablesriov+0xb8/0x1e0 [mlx5core] [] mlx5sriovdetach+0x40/0x50 [mlx5core] [] mlx5unload+0x40/0xc4 [mlx5core] [] mlx5unloadonedevllocked+0x6c/0xe4 [mlx5core] [] mlx5unloadone+0x3c/0x60 [mlx5core] [] shutdown+0x7c/0xa4 [mlx5core] [] pcideviceshutdown+0x3c/0xa0 [] deviceshutdown+0x170/0x340 [] _dosysreboot+0x1f4/0x2a0 [] _arm64sysreboot+0x2c/0x40 [] invokesyscall+0x78/0x100 [] el0svccommon.constprop.0+0x54/0x184 [] doel0svc+0x30/0xac [] el0svc+0x48/0x160 [] el0t64synchandler+0xa4/0x12c [] el0t64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]---(CVE-2025-38109)

In the Linux kernel, the following vulnerability has been resolved:

nfsd: Initialize ssc before laundromat_work to prevent NULL dereference

In nfs4statestartnet(), laundromatwork may access nfsdssc through nfs4laundromat -> nfsd4sscexpireumount. If nfsdssc isn't initialized, this can cause NULL pointer dereference.

Normally the delayed start of laundromatwork allows sufficient time for nfsdssc initialization to complete. However, when the kernel waits too long for userspace responses (e.g. in nfs4statestartnet -> nfsd4endgrace -> nfsd4recordgracedone -> nfsd4cldgracedone -> cldpipeupcall -> _cldpipeupcall -> waitforcompletion path), the delayed work may start before nfsd_ssc initialization finishes.

Fix this by moving nfsdssc initialization before starting laundromatwork.(CVE-2025-38231)

In the Linux kernel, the following vulnerability has been resolved:

kernfs: Relax constraint in draining guard

The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak -- callers don't use it afterwards but it's important for proper pairing of kn->active counting. Assuming this mechanism is in place, the WARN check in kernfsshoulddrainopenfiles() is too sensitive -- it may transiently catch those (rightful) callers between kernfsunbreakactiveprotection() and kernfsput_active() as found out by Chen Ridong:

kernfs_remove_by_name_ns    kernfs_get_active // active=1
__kernfs_remove                   // active=0x80000002
kernfs_drain            ...
wait_event
//waiting (active == 0x80000001)
                kernfs_break_active_protection
                // active = 0x80000001
// continue
                kernfs_unbreak_active_protection
                // active = 0x80000002
...
kernfs_should_drain_open_files
// warning occurs
                kernfs_put_active

To avoid the false positives (mind paniconwarn) remove the check altogether. (This is meant as quick fix, I think active reference break/unbreak may be simplified with larger rework.)(CVE-2025-38282)

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Always pass notifications when child class becomes empty

Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free.

The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free:

tc qdisc add dev lo root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo parent 1: classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1
tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0
tc qdisc add dev lo parent 2:1 handle 3: netem
tc qdisc add dev lo parent 3:1 handle 4: blackhole

echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
tc class delete dev lo classid 1:1
echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888

Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisctreereducebacklog always calls qlennotify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdiscreset() and / or qdiscpurgequeue() which ultimately resets its qlen to 0 thus causing the following qdisctreereducebacklog() to report to the parent. Note that this may call qlennotify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlennotify() handlers idempotent.(CVE-2025-38350)

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check dce_hwseq before dereferencing it

[WHAT]

hws was checked for null earlier in dce110blankstream, indicating hws can be null, and should be checked whenever it is used.

(cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad)(CVE-2025-38361)

In the Linux kernel, the following vulnerability has been resolved:

nbd: fix uaf in nbdgenlconnect() error path

There is a use-after-free issue in nbd:

block nbd6: Receive control failed (result -104)

block nbd6: shutting down sockets

BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67

CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recvwork Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xc3/0x670 mm/kasan/report.c:521 kasanreport+0xe0/0x110 mm/kasan/report.c:634 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0xef/0x1a0 mm/kasan/generic.c:189 instrumentatomicreadwrite include/linux/instrumented.h:96 [inline] atomicdec include/linux/atomic/atomic-instrumented.h:592 [inline] recvwork+0x694/0xa80 drivers/block/nbd.c:1022 processonework+0x9cc/0x1b70 kernel/workqueue.c:3238 processscheduledworks kernel/workqueue.c:3319 [inline] workerthread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 retfromfork+0x45/0x80 arch/x86/kernel/process.c:153 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>

nbdgenlconnect() does not properly stop the device on certain error paths after nbdstartdevice() has been called. This causes the error path to put nbd->config while recvwork continue to use the config after putting it, leading to use-after-free in recvwork.

This patch moves nbdstartdevice() after the backend file creation.(CVE-2025-38443)

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Abort _tcmodify_qdisc if parent class does not exist

Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisccreate (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisctreereducebacklog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands:

sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq

Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisctreereducebacklog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlennotify with a null class. All these qdiscs make the assumption that class is non-null.

The solution is ensure that qdiscleaf() which looks up the parent class, and is invoked prior to qdisccreate(), should return failure on not finding the class. In this patch, we leverage qdiscleaf to return ERRPTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called.

[1] https://lore.kernel.org/netdev/(CVE-2025-38457)

In the Linux kernel, the following vulnerability has been resolved:

net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime

Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple of problems with the above scheme.

The first problem is a memory leak that can happen if the "rx-vlan-filter" feature is disabled while the device is running:

# ip link add bond1 up type bond mode 0 # ethtool -K bond1 rx-vlan-filter off # ip link del dev bond1

When the device is put administratively down the "rx-vlan-filter" feature is disabled, so the 8021q module will not remove VLAN 0 and the memory will be leaked [1].

Another problem that can happen is that the kernel can automatically delete VLAN 0 when the device is put administratively down despite not adding it when the device was put administratively up since during that time the "rx-vlan-filter" feature was disabled. null-ptr-unref or bugon[2] will be triggered by unregistervlan_dev() for refcount imbalance if toggling filtering during runtime:

$ ip link add bond0 type bond mode 0 $ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q $ ethtool -K bond0 rx-vlan-filter off $ ifconfig bond0 up $ ethtool -K bond0 rx-vlan-filter on $ ifconfig bond0 down $ ip link del vlan0

Root cause is as below: step1: add vlan0 for realdev, such as bond, team. registervlandev vlanvidadd(realdev,htons(ETHP8021Q),0) //refcnt=1 step2: disable vlan filter feature and enable realdev step3: change filter from 0 to 1 vlandeviceevent vlanfilterpushvids ndovlanrxaddvid //No refcnt added to realdev vlan0 step4: realdev down vlandeviceevent vlanviddel(dev, htons(ETHP8021Q), 0); //refcnt=0 vlaninforcufree //free vlan0 step5: delete vlan0 unregistervlandev BUGON(!vlaninfo); //vlaninfo is null

Fix both problems by noting in the VLAN info whether VLAN 0 was automatically added upon NETDEVUP and based on that decide whether it should be deleted upon NETDEVDOWN, regardless of the state of the "rx-vlan-filter" feature.

[1] unreferenced object 0xffff8880068e3100 (size 256): comm "ip", pid 384, jiffies 4296130254 hex dump (first 32 bytes): 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 81ce31fa): kmalloccachenoprof+0x2b5/0x340 vlanvidadd+0x434/0x940 vlandeviceevent.cold+0x75/0xa8 notifiercallchain+0xca/0x150 _devnotifyflags+0xe3/0x250 rtnlconfigurelink+0x193/0x260 rtnlnewlinkcreate+0x383/0x8e0 _rtnlnewlink+0x22c/0xa40 rtnlnewlink+0x627/0xb00 rtnetlinkrcvmsg+0x6fb/0xb70 netlinkrcvskb+0x11f/0x350 netlinkunicast+0x426/0x710 netlinksendmsg+0x75a/0xc20 _socksendmsg+0xc1/0x150 syssendmsg+0x5aa/0x7b0 _syssendmsg+0xfc/0x180

[2] kernel BUG at net/8021q/vlan.c:99! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:unregistervlandev (net/8021q/vlan.c:99 (discriminator 1)) RSP: 0018:ffff88810badf310 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8 RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80 R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000 R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0 Call Trace: <TASK ---truncated---(CVE-2025-38470)

In the Linux kernel, the following vulnerability has been resolved:

net/sched: schqfq: Fix race condition on qfqaggregate

A race condition can occur when 'agg' is modified in qfqchangeagg (called during qfqenqueue) while other threads access it concurrently. For example, qfqdumpclass may trigger a NULL dereference, and qfqdelete_class may cause a use-after-free.

This patch addresses the issue by:

1. Moved qfqdestroyclass into the critical section.

2. Added schtreelock protection to qfqdumpclass and qfqdumpclass_stats.(CVE-2025-38477)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix use-after-free in cifsoplockbreak

A race condition can occur in cifsoplockbreak() leading to a use-after-free of the cinode structure when unmounting:

cifsoplockbreak() cifsFileInfoput(cfile) cifsFileInfoputfinal() cifssbdeactive() [last ref, start releasing sb] killsb() killanonsuper() genericshutdownsuper() evictinodes() disposelist() evict() destroyinode() callrcu(&inode->ircu, icallback) spinlock(&cinode->openfilelock) <- OK [later] icallback() cifsfreeinode() kmemcachefree(cinode) spinunlock(&cinode->openfilelock) <- UAF cifsdoneoplock_break(cinode) <- UAF

The issue occurs when umount has already released its reference to the superblock. When cifsFileInfoput() calls cifssbdeactive(), this releases the last reference, triggering the immediate cleanup of all inodes under RCU. However, cifsoplockbreak() continues to access the cinode after this point, resulting in use-after-free.

Fix this by holding an extra reference to the superblock during the entire oplock break operation. This ensures that the superblock and its inodes remain valid until the oplock break completes.(CVE-2025-38527)

In the Linux kernel, the following vulnerability has been resolved:

sunrpc: fix handling of server side tls alerts

Scott Mayhew discovered a security exploit in NFS over TLS in tlsalertrecv() due to its assumption it can read data from the msg iterator's kvec..

kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer.

This patch proposes to rework how control messages are setup and used by sock_recvmsg().

If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tlsalertrecv.(CVE-2025-38566)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent infinite loop in rt6nlmsgsize()

While testing prior patch, I was able to trigger an infinite loop in rt6nlmsgsize() in the following place:

listforeachentryrcu(sibling, &f6i->fib6siblings, fib6siblings) { rt6nhnlmsgsize(sibling->fib6nh, &nexthop_len); }

This is because fib6delroute() and fib6addrt2node() uses listdelrcu(), which can confuse rcu readers, because they might no longer see the head of the list.

Restart the loop if f6i->fib6_nsiblings is zero.(CVE-2025-38588)

In the Linux kernel, the following vulnerability has been resolved:

eventpoll: Fix semi-unbounded recursion

Ensure that epoll instances can never form a graph deeper than EPMAXNESTS+1 links.

Currently, eploopcheck_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons:

• They don't look upwards in the tree.
• If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths").

Essentially, the current recursion depth check in eploopcheck_proc() just serves to prevent it from recursing too deeply while checking for loops.

A more thorough check is done in reversepathcheck() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files.

As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").)

To fix it:

1. In eploopcheck_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited.
2. Add epgetupwardsdepthproc() for similarly determining the maximum depth of an upwards walk.
3. In eploopcheck(), use these values to limit the total path length between epoll nodes to EPMAXNESTS edges.(CVE-2025-38614)

In the Linux kernel, the following vulnerability has been resolved:

net/packet: fix a race in packetsetring() and packet_notifier()

When packetsetring() releases po->bindlock, another thread can run packetnotifier() and process an NETDEV_UP event.

This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packetbind() and packetnotifier()").

There too the packetnotifier NETDEVUP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken.

The po->bindlock in packetsetring and packetnotifier precede the introduction of git history.(CVE-2025-38617)

In the Linux kernel, the following vulnerability has been resolved:

rv: Use strings in da monitors tracepoints

Using DA monitors tracepoints with KASAN enabled triggers the following warning:

BUG: KASAN: global-out-of-bounds in dotraceeventraweventeventdamonitor+0xd6/0x1a0 Read of size 32 at addr ffffffffaada8980 by task ... Call Trace: <TASK> [...] dotraceeventraweventeventdamonitor+0xd6/0x1a0 ? _pfxdotraceeventraweventeventdamonitor+0x10/0x10 ? traceeventsncid+0x83/0x200 traceeventsncid+0x163/0x200 [...] The buggy address belongs to the variable: automatonsnep+0x4e0/0x5e0

This is caused by the tracepoints reading 32 bytes _array instead of _string from the automata definition. Such strings are literals and reading 32 bytes ends up in out of bound memory accesses (e.g. the next automaton's data in this case). The error is harmless as, while printing the string, we stop at the null terminator, but it should still be fixed.

Use the __string facilities while defining the tracepoints to avoid reading out of bound memory.(CVE-2025-38636)

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix a null pointer dereference in icecopyandinitpkg()

Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference.(CVE-2025-38664)

In the Linux kernel, the following vulnerability has been resolved:

ASoC: core: Check for rtd == NULL in sndsocremovepcmruntime()

sndsocremovepcmruntime() might be called with rtd == NULL which will leads to null pointer dereference. This was reproduced with topology loading and marking a link as ignore due to missing hardware component on the system. On module removal the soctplgremovelink() would call sndsocremovepcm_runtime() with rtd == NULL since the link was ignored, no runtime was created.(CVE-2025-38706)

In the Linux kernel, the following vulnerability has been resolved:

netlink: avoid infinite retry looping in netlink_unicast()

netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has:

rmem < READONCE(sk->skrcvbuf)

to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under:

rmem + skb->truesize > READONCE(sk->skrcvbuf)

The checks don't cover the case when skb->truesize + sk->skrmemalloc is equal to sk->sk_rcvbuf. Thus the function neither successfully accepts these conditions, nor manages to reschedule the task - and is called in retry loop for indefinite time which is caught as:

rcu: INFO: rcusched self-detected stall on CPU rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 (t=26000 jiffies g=230833 q=259957) NMI backtrace for cpu 0 CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 Call Trace: <IRQ> dumpstack lib/dumpstack.c:120 nmicpubacktrace.cold lib/nmibacktrace.c:105 nmitriggercpumaskbacktrace lib/nmibacktrace.c:62 rcudumpcpustacks kernel/rcu/treestall.h:335 rcuschedclockirq.cold kernel/rcu/tree.c:2590 updateprocesstimes kernel/time/timer.c:1953 tickschedhandle kernel/time/tick-sched.c:227 tickschedtimer kernel/time/tick-sched.c:1399 _hrtimerrunqueues kernel/time/hrtimer.c:1652 hrtimerinterrupt kernel/time/hrtimer.c:1717 _sysvecapictimerinterrupt arch/x86/kernel/apic/apic.c:1113 asmcallirqonstack arch/x86/entry/entry64.S:808 </IRQ>

netlinkattachskb net/netlink/afnetlink.c:1234 netlinkunicast net/netlink/afnetlink.c:1349 kauditdsendqueue kernel/audit.c:776 kauditdthread kernel/audit.c:897 kthread kernel/kthread.c:328 retfromfork arch/x86/entry/entry64.S:304

Restore the original behavior of the check which commit in Fixes accidentally missed when restructuring the code.

Found by Linux Verification Center (linuxtesting.org).(CVE-2025-38727)

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null pointer check in modhdcphdcp1createsession()

The function modhdcphdcp1createsession() calls the function getfirstactive_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference.

Add a null pointer check for getfirstactivedisplay() and return MODHDCPSTATUSDISPLAYNOTFOUND if the function return null.

This is similar to the commit c3e9826a2202 ("drm/amd/display: Add null pointer check for getfirstactive_display()").

(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)(CVE-2025-39675)

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Fix backlog accounting in qdiscdequeueinternal

This issue applies for the following qdiscs: hhf, fq, fqcodel, and fqpie, and occurs in their change handlers when adjusting to the new limit. The problem is the following in the values passed to the subsequent qdisctreereduce_backlog call given a tbf parent:

When the tbf parent runs out of tokens, skbs of these qdiscs will be placed in gsoskb. Their peek handlers are qdiscpeekdequeued, which accounts for both qlen and backlog. However, in the case of qdiscdequeueinternal, ONLY qlen is accounted for when pulling from gsoskb. This means that these qdiscs are missing a qdiscqstatsbacklog_dec when dropping packets to satisfy the new limit in their change handlers.

One can observe this issue with the following (with tc patched to support a limit of 0):

export TARGET=fq tc qdisc del dev lo root tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000 echo ''; echo 'add child'; tc -s -d qdisc show dev lo ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null echo ''; echo 'after ping'; tc -s -d qdisc show dev lo tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0 echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo tc qdisc replace dev lo handle 2: parent 1:1 sfq echo ''; echo 'post graft'; tc -s -d qdisc show dev lo

The second to last show command shows 0 packets but a positive number (74) of backlog bytes. The problem becomes clearer in the last show command, where qdiscpurgequeue triggers qdisctreereduce_backlog with the positive backlog and causes an underflow in the tbf parent's backlog (4096 Mb instead of 0).

To fix this issue, the codepath for all clients of qdiscdequeueinternal has been simplified: codel, pie, hhf, fq, fqpie, and fqcodel. qdiscdequeueinternal handles the backlog adjustments for all cases that do not directly use the dequeue handler.

The old fqcodelchange limit adjustment loop accumulated the arguments to the subsequent qdisctreereducebacklog call through the cstats field. However, this is confusing and error prone as fqcodeldequeue could also potentially mutate this field (which qdiscdequeueinternal calls in the non gsoskb case), so we have unified the code here with other qdiscs.(CVE-2025-39677)

In the Linux kernel, the following vulnerability has been resolved:

comedi: Fix use of uninitialized memory in doinsnioctl() and doinsnlistioctl()

syzbot reports a KMSAN kernel-infoleak in do_insn_ioctl(). A kernel buffer is allocated to hold insn->n samples (each of which is an unsigned int). For some instruction types, insn->n samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole insn->n samples, so that there is an information leak. There is a similar syzbot report for do_insnlist_ioctl(), although it does not have a reproducer for it at the time of writing.

One culprit is insn_rw_emulate_bits() which is used as the handler for INSN_READ or INSN_WRITE instructions for subdevices that do not have a specific handler for that instruction, but do have an INSN_BITS handler. For INSN_READ it only fills in at most 1 sample, so if insn->n is greater than 1, the remaining insn->n - 1 samples copied to userspace will be uninitialized kernel data.

Another culprit is vm80xx_ai_insn_read() in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer.

Fix it in do_insn_ioctl() and do_insnlist_ioctl() by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction.

Thanks to Arnaud Lecomte for their fix to do_insn_ioctl(). That fix replaced the call to kmalloc_array() with kcalloc(), but it is not always necessary to clear the whole buffer.(CVE-2025-39684)

In the Linux kernel, the following vulnerability has been resolved:

NFS: Fix a race when updating an existing write

After nfslockandjoinrequests() tests for whether the request is still attached to the mapping, nothing prevents a call to nfsinoderemoverequest() from succeeding until we actually lock the page group. The reason is that whoever called nfsinoderemoverequest() doesn't necessarily have a lock on the page group head.

So in order to avoid races, let's take the page group lock earlier in nfslockandjoinrequests(), and hold it across the removal of the request in nfsinoderemove_request().(CVE-2025-39697)

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix memory corruption when FW resources change during ifdown

bnxtsetdfltrings() assumes that it is always called before any TC has been created. So it doesn't take bp->numtc into account and assumes that it is always 0 or 1.

In the FW resource or capability change scenario, the FW will return flags in bnxthwrmifchange() that will cause the driver to reinitialize and call bnxtcancelreservations(). This will lead to bnxtinitdfltringmode() calling bnxtsetdfltrings() and bp->numtc may be greater than 1. This will cause bp->txring[] to be sized too small and cause memory corruption in bnxtalloccp_rings().

Fix it by properly scaling the TX rings by bp->numtc in the code paths mentioned above. Add 2 helper functions to determine bp->txnrrings and bp->txnrringsper_tc.(CVE-2025-39810)

In the Linux kernel, the following vulnerability has been resolved:

efivarfs: Fix slab-out-of-bounds in efivarfsdcompare

Observed on kernel 6.6 (present on master as well):

BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasancheckrange+0xe8/0x190 _asanloadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfsdcompare+0x68/0xd8 _dlookuprcuopcompare+0x178/0x218 _dlookuprcu+0x1f8/0x228 dallocparallel+0x150/0x648 lookupopen.isra.0+0x5f0/0x8d0 openlastlookups+0x264/0x828 pathopenat+0x130/0x3f8 dofilpopen+0x114/0x248 dosysopenat2+0x340/0x3c0 _arm64sys_openat+0x120/0x1a0

If dentry->dname.len < EFIVARIABLEGUIDLEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename:

T1 T2 lookupopen ->lookup simplelookup d_add // invalid dentry is added to hash list

        lookup_open
         d_alloc_parallel
          __d_lookup_rcu
           __d_lookup_rcu_op_compare
            hlist_bl_for_each_entry_rcu
            // invalid dentry can be retrieved
             ->d_compare
              efivarfs_d_compare
              // oob

Fix it by checking 'guid' before cmp.(CVE-2025-39817)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix race with concurrent opens in rename(2)

Besides sending the rename request to the server, the rename process also involves closing any deferred close, waiting for outstanding I/O to complete as well as marking all existing open handles as deleted to prevent them from deferring closes, which increases the race window for potential concurrent opens on the target file.

Fix this by unhashing the dentry in advance to prevent any concurrent opens on the target.(CVE-2025-39825)

In the Linux kernel, the following vulnerability has been resolved:

fs: writeback: fix use-after-free in _markinode_dirty()

An use-after-free issue occurred when _markinodedirty() get the bdiwriteback that was in the progress of switching.

CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : _markinodedirty+0x124/0x418 lr : _markinodedirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: _markinodedirty+0x124/0x418 genericupdatetime+0x4c/0x60 filemodified+0xcc/0xd0 ext4bufferedwriteiter+0x58/0x124 ext4filewriteiter+0x54/0x704 vfswrite+0x1c0/0x308 ksyswrite+0x74/0x10c _arm64syswrite+0x1c/0x28 invokesyscall+0x48/0x114 el0svccommon.constprop.0+0xc0/0xe0 doel0svc+0x1c/0x28 el0svc+0x40/0xe4 el0t64synchandler+0x120/0x12c el0t64sync+0x194/0x198

Root cause is:

systemd-random-seed kworker

_markinodedirty inodeswitchwbsworkfn

spinlock(&inode->ilock); inodeattachwb lockedinodetowbandlocklist get inode->iwb spinunlock(&inode->ilock); spinlock(&wb->listlock) spinlock(&inode->ilock) inodeiolistmovelocked spinunlock(&wb->listlock) spinunlock(&inode->ilock) spinlock(&oldwb->listlock) inodedoswitchwbs spinlock(&inode->ilock) inode->iwb = newwb spinunlock(&inode->ilock) spinunlock(&oldwb->listlock) wbputmany(oldwb, nrswitched) cgwbrelease old wb released wbwakeup_delayed() accesses wb, then trigger the use-after-free issue

Fix this race condition by holding inode spinlock until wbwakeupdelayed() finished.(CVE-2025-39866)

In the Linux kernel, the following vulnerability has been resolved:

kernfs: Fix UAF in polling when open file is released

A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism:

BUG: KASAN: slab-use-after-free in psitriggerpoll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task systemd/1

psitriggerpoll+0x3c/0x140 cgrouppressurepoll+0x70/0xa0 cgroupfilepoll+0x8c/0x100 kernfsfoppoll+0x11c/0x1c0 epitempoll.isra.0+0x188/0x2c0

Allocated by task 1: cgroupfileopen+0x88/0x388 kernfsfopopen+0x73c/0xaf0 dodentryopen+0x5fc/0x1200 vfsopen+0xa0/0x3f0 doopen+0x7e8/0xd08 pathopenat+0x2fc/0x6b0 dofilp_open+0x174/0x368

Freed by task 8462: cgroupfilerelease+0x130/0x1f8 kernfsdrainopenfiles+0x17c/0x440 kernfsdrain+0x2dc/0x360 kernfsshow+0x1b8/0x288 cgroupfileshow+0x150/0x268 cgrouppressurewrite+0x1dc/0x340 cgroupfile_write+0x274/0x548

Reproduction Steps: 1. Open test/cpu.pressure and establish epoll monitoring 2. Disable monitoring: echo 0 > test/cgroup.pressure 3. Re-enable monitoring: echo 1 > test/cgroup.pressure

The race condition occurs because: 1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it: - Releases PSI triggers via cgroupfilerelease() - Frees of->priv through kernfsdrainopen_files() 2. While epoll still holds reference to the file and continues polling 3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv

epolling disable/enable cgroup.pressure fd=open(cpu.pressure) while(1) ... epollwait kernfsfoppoll kernfsgetactive = true echo 0 > cgroup.pressure ... cgroupfileshow kernfsshow // inactive kn kernfsdrainopenfiles cft->release(of); kfree(ctx); ... kernfsgetactive = false echo 1 > cgroup.pressure kernfsshow kernfsactivateone(kn); kernfsfoppoll kernfsgetactive = true cgroupfilepoll psitriggerpoll // UAF ... end: close(fd)

To address this issue, introduce kernfsgetactiveof() for kernfs open files to obtain active references. This function will fail if the open file has been released. Replace kernfsgetactive() with kernfsgetactiveof() to prevent further operations on released file descriptors.(CVE-2025-39881)

In the Linux kernel, the following vulnerability has been resolved:

i40e: fix IRQ freeing in i40evsirequestirqmsix error path

If requestirq() in i40evsirequestirqmsix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong devid argument for free_irq(), so it does not free the IRQs correctly and instead triggers the warning:

Trying to free already-free IRQ 173 WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 freeirq+0x192/0x2c0 Modules linked in: i40e(+) [...] CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: [...] RIP: 0010:freeirq+0x192/0x2c0 [...] Call Trace: <TASK> freeirq+0x32/0x70 i40evsirequestirqmsix.cold+0x63/0x8b [i40e] i40evsirequestirq+0x79/0x80 [i40e] i40evsiopen+0x21f/0x2f0 [i40e] i40eopen+0x63/0x130 [i40e] devopen+0xfc/0x210 _devchangeflags+0x1fc/0x240 netifchangeflags+0x27/0x70 dosetlink.isra.0+0x341/0xc70 rtnlnewlink+0x468/0x860 rtnetlinkrcvmsg+0x375/0x450 netlinkrcvskb+0x5c/0x110 netlinkunicast+0x288/0x3c0 netlinksendmsg+0x20d/0x430 _syssendmsg+0x3a2/0x3d0 _syssendmsg+0x99/0xe0 _syssendmsg+0x8a/0xf0 dosyscall64+0x82/0x2c0 entrySYSCALL64afterhwframe+0x76/0x7e [...] </TASK> ---[ end trace 0000000000000000 ]---

Use the same devid for freeirq() as for request_irq().

I tested this with inserting code to fail intentionally.(CVE-2025-39911)

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Harden uplink netdev access against device unbind

The function mlx5uplinknetdevget() gets the uplink netdevice pointer from mdev->mlx5eres.uplinknetdev. However, the netdevice can be removed and its pointer cleared when unbound from the mlx5core.eth driver. This results in a NULL pointer, causing a kernel panic.

BUG: unable to handle page fault for address: 0000000000001300 at RIP: 0010:mlx5evportrepload+0x22a/0x270 [mlx5core] Call Trace: <TASK> mlx5eswoffloadsrepload+0x68/0xe0 [mlx5core] eswoffloadsenable+0x593/0x910 [mlx5core] mlx5eswitchenablelocked+0x341/0x420 [mlx5core] mlx5devlinkeswitchmodeset+0x17e/0x3a0 [mlx5core] devlinknleswitchsetdoit+0x60/0xd0 genlfamilyrcvmsgdoit+0xe0/0x130 genlrcvmsg+0x183/0x290 netlinkrcvskb+0x4b/0xf0 genlrcv+0x24/0x40 netlinkunicast+0x255/0x380 netlinksendmsg+0x1f3/0x420 _socksendmsg+0x38/0x60 _syssendto+0x119/0x180 dosyscall64+0x53/0x1d0 entrySYSCALL64afterhwframe+0x4b/0x53

Ensure the pointer is valid before use by checking it for NULL. If it is valid, immediately call netdev_hold() to take a reference, and preventing the netdevice from being freed while it is in use.(CVE-2025-39947)

In the Linux kernel, the following vulnerability has been resolved:

media: tuner: xc5000: Fix use-after-free in xc5000_release

The original code uses canceldelayedwork() in xc5000release(), which does not guarantee that the delayed work item timersleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000release() may free the xc5000priv while timersleep is still active and attempts to dereference the xc5000priv.

A typical race condition is illustrated below:

CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000release() | xc5000dotimersleep() canceldelayedwork() | hybridtunerreleasestate(priv) | kfree(priv) | | priv = containerof() // UAF

Replace canceldelayedwork() with canceldelayedworksync() to ensure that the timersleep is properly canceled before the xc5000_priv memory is deallocated.

A deadlock concern was considered: xc5000release() is called in a process context and is not holding any locks that the timersleep work item might also need. Therefore, the use of the _sync() variant is safe here.

This bug was initially identified through static analysis.

hverkuil: fix typo in Subject: tunner -> tuner

In the Linux kernel, the following vulnerability has been resolved:

media: b2c2: Fix use-after-free causing by irqcheckwork in flexcoppciremove

The original code uses canceldelayedwork() in flexcoppciremove(), which does not guarantee that the delayed work item irqcheckwork has fully completed if it was already running. This leads to use-after-free scenarios where flexcoppciremove() may free the flexcopdevice while irqcheck_work is still active and attempts to dereference the device.

A typical race condition is illustrated below:

CPU 0 (remove) | CPU 1 (delayed work callback) flexcoppciremove() | flexcoppciirqcheckwork() canceldelayedwork() | flexcopdevicekfree(fcpci->fcdev) | | fc = fcpci->fcdev; // UAF

This is confirmed by a KASAN report:

================================================================== BUG: KASAN: slab-use-after-free in runtimerbase.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: <IRQ> dumpstacklvl+0x55/0x70 printreport+0xcf/0x610 ? _runtimerbase.part.0+0x7d7/0x8c0 kasanreport+0xb8/0xf0 ? _runtimerbase.part.0+0x7d7/0x8c0 _runtimerbase.part.0+0x7d7/0x8c0 ? _pfxruntimerbase.part.0+0x10/0x10 ? _pfxreadtsc+0x10/0x10 ? ktimeget+0x60/0x140 ? lapicnextevent+0x11/0x20 ? clockeventsprogramevent+0x1d4/0x2a0 runtimersoftirq+0xd1/0x190 handlesoftirqs+0x16a/0x550 irqexitrcu+0xaf/0xe0 sysvecapictimer_interrupt+0x70/0x80 </IRQ> ...

Allocated by task 1: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 _kasankmalloc+0x7f/0x90 _kmallocnoprof+0x1be/0x460 flexcopdevicekmalloc+0x54/0xe0 flexcoppciprobe+0x1f/0x9d0 localpciprobe+0xdc/0x190 pcideviceprobe+0x2fe/0x470 reallyprobe+0x1ca/0x5c0 _driverprobedevice+0x248/0x310 driverprobedevice+0x44/0x120 _driverattach+0xd2/0x310 busforeachdev+0xed/0x170 busadddriver+0x208/0x500 driverregister+0x132/0x460 dooneinitcall+0x89/0x300 kernelinitfreeable+0x40d/0x720 kernelinit+0x1a/0x150 retfromfork+0x10c/0x1a0 retfromforkasm+0x1a/0x30

Freed by task 135: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3a/0x60 _kasanslabfree+0x3f/0x50 kfree+0x137/0x370 flexcopdevicekfree+0x32/0x50 pcideviceremove+0xa6/0x1d0 devicereleasedriverinternal+0xf8/0x210 pcistopbusdevice+0x105/0x150 pcistopandremovebusdevicelocked+0x15/0x30 removestore+0xcc/0xe0 kernfsfopwriteiter+0x2c3/0x440 vfswrite+0x871/0xd70 ksyswrite+0xee/0x1c0 dosyscall64+0xac/0x280 entrySYSCALL64afterhwframe+0x77/0x7f ...

Replace canceldelayedwork() with canceldelayedwork_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated.

This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcoppciirqcheckwork() function to increase the likelihood of triggering the bug.(CVE-2025-39996)

In the Linux kernel, the following vulnerability has been resolved:

media: uvcvideo: Mark invalid entities with id UVCINVALIDENTITY_ID

Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero unique ID.

Each Unit and Terminal within the video function is assigned a unique
identification number, the Unit ID (UID) or Terminal ID (TID), contained in
the bUnitID or bTerminalID field of the descriptor. The value 0x00 is
reserved for undefined ID,

If we add a new entity with id 0 or a duplicated ID, it will be marked as UVCINVALIDENTITY_ID.

In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require entities to have a non-zero unique ID"), we ignored all the invalid units, this broke a lot of non-compatible cameras. Hopefully we are more lucky this time.

This also prevents some syzkaller reproducers from triggering warnings due to a chain of entities referring to themselves. In one particular case, an Output Unit is connected to an Input Unit, both with the same ID of 1. But when looking up for the source ID of the Output Unit, that same entity is found instead of the input entity, which leads to such warnings.

In another case, a backward chain was considered finished as the source ID was 0. Later on, that entity was found, but its pads were not valid.

Here is a sample stack trace for one of those cases.

[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummyhcd [ 20.830206] usb 1-1: Using ep0 maxpacket: 8 [ 20.833501] usb 1-1: config 0 descriptor?? [ 21.038518] usb 1-1: string descriptor 0 read error: -71 [ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201) [ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! [ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! [ 21.042218] ------------[ cut here ]------------ [ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 mediacreatepadlink+0x2c4/0x2e0 [ 21.043195] Modules linked in: [ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 [ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 21.044639] Workqueue: usbhubwq hubevent [ 21.045100] RIP: 0010:mediacreatepadlink+0x2c4/0x2e0 [ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 [ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 [ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 [ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 [ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 [ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 [ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 [ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 [ 21.051136] PKRU: 55555554 [ 21.051331] Call Trace: [ 21.051480] <TASK> [ 21.051611] ? _warn+0xc4/0x210 [ 21.051861] ? mediacreatepadlink+0x2c4/0x2e0 [ 21.052252] ? reportbug+0x11b/0x1a0 [ 21.052540] ? tracehardirqson+0x31/0x40 [ 21.052901] ? handlebug+0x3d/0x70 [ 21.053197] ? excinvalidop+0x1a/0x50 [ 21.053511] ? asmexcinvalidop+0x1a/0x20 [ 21.053924] ? mediacreatepadlink+0x91/0x2e0 [ 21.054364] ? mediacreatepadlink+0x2c4/0x2e0 [ 21.054834] ? mediacreatepadlink+0x91/0x2e0 [ 21.055131] ? rawspinunlock+0x1e/0x40 [ 21.055441] ? _v4l2deviceregistersubdev+0x202/0x210 [ 21.055837] uvcmcregisterentities+0x358/0x400 [ 21.056144] uvcregisterchains+0x1 ---truncated---(CVE-2025-40016)

In the Linux kernel, the following vulnerability has been resolved:

Squashfs: fix uninit-value in squashfsgetparent

Syzkaller reports a "KMSAN: uninit-value in squashfsgetparent" bug.

This is caused by openbyhandle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory.

Squashfsgetparent() gets called with that symbolic link inode, and accesses the parent member field.

unsigned int parent_ino = squashfs_i(inode)->parent;

Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access.

The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned.

Regular inodes used to share the parent field with the blockliststart field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.(CVE-2025-40049)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix crypto buffers in non-linear memory

The crypto API, through the scatterlist API, expects input buffers to be in linear memory. We handle this with the cifssgset_buf() helper that converts vmalloc'd memory to their corresponding pages.

However, when we allocate our aeadrequest buffer (@creq in smb2ops.c::cryptmessage()), we do so with kvzalloc(), which possibly puts aeadrequest->_ctx in vmalloc area.

AEAD algorithm then uses ->_ctx for its private/internal data and operations, and uses sgset_buf() for such data on a few places.

This works fine as long as @creq falls into kmalloc zone (small requests) or vmalloc'd memory is still within linear range.

Tasks' stacks are vmalloc'd by default (CONFIGVMAPSTACK=y), so too many tasks will increment the base stacks' addresses to a point where virtaddrvalid(buf) will fail (BUG() in sgsetbuf()) when that happens.

In practice: too many parallel reads and writes on an encrypted mount will trigger this bug.

To fix this, always alloc @creq with kmalloc() instead. Also drop the @sensitivesize variable/arguments since kfreesensitive() doesn't need it.

Backtrace:

[ 945.272081] ------------[ cut here ]------------ [ 945.272774] kernel BUG at include/linux/scatterlist.h:209! [ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUGPAGEALLOC NOPTI [ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary) [ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 [ 945.276877] Workqueue: writeback wbworkfn (flush-cifs-2) [ 945.277457] RIP: 0010:cryptogcminitcommon+0x1f9/0x220 [ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b [ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246 [ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030 [ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070 [ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000 [ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070 [ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010 [ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000 [ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0 [ 945.286683] Call Trace: [ 945.286952] <TASK> [ 945.287184] ? cryptmessage+0x33f/0xad0 [cifs] [ 945.287719] cryptogcmencrypt+0x36/0xe0 [ 945.288152] cryptmessage+0x54a/0xad0 [cifs] [ 945.288724] smb3inittransformrq+0x277/0x300 [cifs] [ 945.289300] smbsendrqst+0xa3/0x160 [cifs] [ 945.289944] cifscallasync+0x178/0x340 [cifs] [ 945.290514] ? pfxsmb2writevcallback+0x10/0x10 [cifs] [ 945.291177] smb2asyncwritev+0x3e3/0x670 [cifs] [ 945.291759] ? findheldlock+0x32/0x90 [ 945.292212] ? netfsadvancewrite+0xf2/0x310 [ 945.292723] netfsadvancewrite+0xf2/0x310 [ 945.293210] netfswritefolio+0x346/0xcc0 [ 945.293689] ? _pfxrawspinunlockirq+0x10/0x10 [ 945.294250] netfswritepages+0x117/0x460 [ 945.294724] dowritepages+0xbe/0x170 [ 945.295152] ? findheldlock+0x32/0x90 [ 945.295600] ? kvmschedclockread+0x11/0x20 [ 945.296103] _writebacksingleinode+0x56/0x4b0 [ 945.296643] writebacksbinodes+0x229/0x550 [ 945.297140] _writebackinodeswb+0x4c/0xe0 [ 945.297642] wbwriteback+0x2f1/0x3f0 [ 945.298069] wbworkfn+0x300/0x490 [ 945.298472] processonework+0x1fe/0x590 [ 945.298949] workerthread+0x1ce/0x3c0 [ 945.299397] ? _pfxworkerthread+0x10/0x10 [ 945.299900] kthr ---truncated---(CVE-2025-40052)

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Disallow dirty tracking if incoherent page walk

Dirty page tracking relies on the IOMMU atomically updating the dirty bit in the paging-structure entry. For this operation to succeed, the paging- structure memory must be coherent between the IOMMU and the CPU. In another word, if the iommu page walk is incoherent, dirty page tracking doesn't work.

The Intel VT-d specification, Section 3.10 "Snoop Behavior" states:

"Remapping hardware encountering the need to atomically update A/EA/D bits in a paging-structure entry that is not snooped will result in a non- recoverable fault."

To prevent an IOMMU from being incorrectly configured for dirty page tracking when it is operating in an incoherent mode, mark SSADS as supported only when both ecapslads and ecapsmpwc are supported.(CVE-2025-40058)

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix race in do_task() when draining

When dotask() exhausts its iteration budget (!ret), it sets the state to TASKSTATEIDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASKSTATEDRAINING state set by a concurrent call to rxecleanuptask() or rxedisable_task().

While state changes are protected by a spinlock, both rxecleanuptask() and rxedisabletask() release the lock while waiting for the task to finish draining in the while(!isdone(task)) loop. The race occurs if dotask() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free.

This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost.

Fix this by restoring the original pre-migration behavior. If the state is TASKSTATEDRAINING when iterations are exhausted, set cont to 1 to force a new loop iteration. This allows the task to finish its work, so that a subsequent iteration can reach the switch statement and correctly transition the state to TASKSTATEDRAINED, stopping the task as intended.(CVE-2025-40061)

In the Linux kernel, the following vulnerability has been resolved:

ipv4: start using dstdevrcu()

Change icmpv4xrlimallow(), ip_defrag() to prevent possible UAF.

Change ipmrpreparexmit(), ipmrqueuefwdxmit(), ipmroutput(), ipv4neighlookup() to use lockdep enabled dstdev_rcu().(CVE-2025-40074)

In the Linux kernel, the following vulnerability has been resolved:

tcpmetrics: use dstdevnetrcu()

Replace three dst_dev() with a lockdep enabled helper.(CVE-2025-40075)

In the Linux kernel, the following vulnerability has been resolved:

ixgbevf: fix mailbox API compatibility by negotiating supported features

There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API.

This convention has been broken since introducing API 1.4. Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself.

Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes.

The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX.

To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox.

New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op.

Features negotiation mechanism gives possibility to be extended with new features when needed in the future.(CVE-2025-40104)

In the Linux kernel, the following vulnerability has been resolved:

ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping

When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access.

This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed.(CVE-2025-40121)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: use RCU in ip6_xmit()

Use RCU in ip6xmit() in order to use dstdev_rcu() to prevent possible UAF.(CVE-2025-40135)

In the Linux kernel, the following vulnerability has been resolved:

smc: Use _skdstget() and dstdevrcu() in in smcclcprfxset().

smcclcprfx_set() is called during connect() and not under RCU nor RTNL.

Using skdstget(sk)->dev could trigger UAF.

Let's use _skdstget() and devdstrcu() under rcureadlock() after kernelgetsockname().

Note that the returned value of smcclcprfx_set() is not used in the caller.

While at it, we change the 1st arg of smcclcprfxset[46]rcu() not to touch dst there.(CVE-2025-40139)

In the Linux kernel, the following vulnerability has been resolved:

tls: Use _skdstget() and dstdevrcu() in getnetdevforsock().

getnetdevfor_sock() is called during setsockopt(), so not under RCU.

Using skdstget(sk)->dev could trigger UAF.

Let's use _skdstget() and dstdev_rcu().

Note that the only ->ndoskgetlowerdev() user is bondskgetlowerdev(), which uses RCU.(CVE-2025-40149)

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: debugfs: Fix legacy mode page table dump logic

In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR maybe uninitialized or zero in that case and may cause oops like:

Oops: general protection fault, probably for non-canonical address 0xf00087d3f000f000: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014 RIP: 0010:pgtablewalklevel+0x98/0x150 RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206 RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000 RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000 R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98 FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace: <TASK> pgtablewalklevel+0x88/0x150 domaintranslationstructshow.isra.0+0x2d9/0x300 devdomaintranslationstructshow+0x20/0x40 seqread_iter+0x12d/0x490 ...

Avoid walking the page table if TT is not 00b or 01b.(CVE-2025-40155)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: use RCU in ip6_output()

Use RCU in ip6output() in order to use dstdev_rcu() to prevent possible UAF.

We can remove rcureadlock()/rcureadunlock() pairs from ip6finishoutput2().(CVE-2025-40158)