{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.14.0-32-generic", "linux-modules-6.14.0-32-generic" ], "removed": [ "linux-image-6.14.0-15-generic", "linux-modules-6.14.0-15-generic" ], "diff": [ "apparmor", "apport", "apport-core-dump-handler", "bsdutils", "cloud-init", "cloud-init-base", "coreutils", "fdisk", "gpgv", "libapparmor1", "libblkid1", "libc-bin", "libc6", "libfdisk1", "libgnutls30t64", "libmount1", "libnetplan1", "libpam-modules", "libpam-modules-bin", "libpam-runtime", "libpam-systemd", "libpam0g", "libpython3.13-minimal", "libpython3.13-stdlib", "libsmartcols1", "libsqlite3-0", "libsystemd-shared", "libsystemd0", "libudev1", "libuuid1", "linux-image-virtual", "login", "mount", "netplan-generator", "netplan.io", "openssh-client", "openssh-server", "openssh-sftp-server", "perl-base", "python3-apport", "python3-distupgrade", "python3-netplan", "python3-problem-report", "python3-urllib3", "python3.13", "python3.13-minimal", "snapd", "sudo", "systemd", "systemd-resolved", "systemd-sysv", "systemd-timesyncd", "ubuntu-drivers-common", "ubuntu-pro-client", "ubuntu-release-upgrader-core", "udev", "util-linux", "xxd" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "4.1.0~beta5-0ubuntu14", "version": "4.1.0~beta5-0ubuntu14" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "4.1.0~beta5-0ubuntu14.1", "version": "4.1.0~beta5-0ubuntu14.1" }, "cves": [], "launchpad_bugs_fixed": [ 2110236, 2110616, 2107402, 2107455, 2110628, 2107723, 2110624, 2107596, 2109029, 2110626, 2111807, 2107727, 2110688, 2110630, 2102033 ], "changes": [ { "cves": [], "log": [ "", " * This is an SRU from Questing to Plucky, tracked in LP: #2110236", " * Add patch to allow unprivileged_userns access to root dir", " (LP: #2110616):", " - d/p/u/unprivileged_userns_rootdir.patch", " * Add patch to fix lsblk accesses on IBM System Z systems (LP: #2107402)", " and execution from a confined context (LP: #2107455):", " - d/p/u/lsblk-s390-fixes.patch", " * Add patch to fix execution of various commands from confined contexts", " (LP: #2110628):", " - d/p/u/profiles_ensure_access_to_attach_path.patch", " * Add patch to include new QtWebEngineProcess execution path in", " plasmashell profile (LP: #2107723):", " - d/p/u/plasmashell-QtWebEngineProcess-new-path.patch", " * Add patch to allow /cvmfs fusermounts (LP: #2110624):", " - d/p/u/fusermount3_cvmfs.patch", " * Add patch to grant OpenVPN DNS accesses (LP: #2107596, LP: #2109029):", " - d/p/u/openvpn_dnsfix.patch", " * Add patch to expand allowed fusermount3 flags for fuse_overlayfs and", " sshfs via fstab (LP: #2110626, LP: #2111807):", " - d/p/u/fusermount3_allow_more_flags.patch", " * Add patch to fix permission denials for iotop-c (LP: #2107727):", " - d/p/u/profiles-give-iotop-c-additional-accesses.patch", " * Add patch to fix parser handling of norelatime mount flag", " (LP: #2110688):", " - d/p/u/parser-fix-handling-of-norelatime-mount-rule-flag.patch", " * Add patch to fix incorrect mount rule documentation in the apparmor.d", " man page (LP: #2110630):", " - d/p/u/fix-incorrect-mount-flag-apparmor.d-docs.patch", " * Add patch to add regression tests for the above two patches:", " - d/p/u/regression-verify-documented-mount-flag-behavior.patch", " * d/p/u/remmina_mr_1348.patch, d/p/u/remmina-dbus-describeall.patch:", " move the remmina profile to profiles/apparmor/profiles/extras to", " disable it by default (LP: #2102033)", " * debian/apparmor.install: remove the remmina profile entry", " * debian/apparmor-profiles.install: add an entry for the remmina profile", " * debian/apparmor.maintscript: remove the remmina profile upon upgrade", "" ], "package": "apparmor", "version": "4.1.0~beta5-0ubuntu14.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2110236, 2110616, 2107402, 2107455, 2110628, 2107723, 2110624, 2107596, 2109029, 2110626, 2111807, 2107727, 2110688, 2110630, 2102033 ], "author": "Ryan Lee ", "date": "Wed, 27 May 2025 11:29:02 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.32.0-0ubuntu5.2", "version": "2.32.0-0ubuntu5.2" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.32.0-0ubuntu5.3", "version": "2.32.0-0ubuntu5.3" }, "cves": [], "launchpad_bugs_fixed": [ 2112466 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: exception during core dump handling (LP: #2112466)", " - d/p/apport-Do-not-hide-FileNotFoundError-during-crash-handlin.patch:", " Do not hide FileNotFoundError during crash handling.", "" ], "package": "apport", "version": "2.32.0-0ubuntu5.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2112466 ], "author": "Octavio Galland ", "date": "Tue, 08 Jul 2025 08:30:58 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "apport-core-dump-handler", "from_version": { "source_package_name": "apport", "source_package_version": "2.32.0-0ubuntu5.2", "version": "2.32.0-0ubuntu5.2" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.32.0-0ubuntu5.3", "version": "2.32.0-0ubuntu5.3" }, "cves": [], "launchpad_bugs_fixed": [ 2112466 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: exception during core dump handling (LP: #2112466)", " - d/p/apport-Do-not-hide-FileNotFoundError-during-crash-handlin.patch:", " Do not hide FileNotFoundError during crash handling.", "" ], "package": "apport", "version": "2.32.0-0ubuntu5.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2112466 ], "author": "Octavio Galland ", "date": "Tue, 08 Jul 2025 08:30:58 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "bsdutils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "1:2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "1:2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.2-0ubuntu0~25.04.1", "version": "25.1.2-0ubuntu0~25.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.4-0ubuntu0~25.04.1", "version": "25.1.4-0ubuntu0~25.04.1" }, "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2069607, 2114229, 2069607 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * Upstream security bugfix release based on 25.1.4.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog", " - Bugs fixed in this snapshot:", " + fix: disable cloud-init when non-x86 environments have no DMI-data", " and no strict datasources detected (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.4-0ubuntu0~25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2069607 ], "author": "Chad Smith ", "date": "Tue, 24 Jun 2025 15:08:29 -0600" }, { "cves": [ { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only", " share dir (CVE-2024-11584)", " * Upstream security bugfix release based on 25.1.3.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog", " - Bugs fixed in this snapshot:", " - security: make hotplug socket only writable by root (LP: #2114229)", " (CVE-2024-11584)", " - security: make ds-identify behavior strict datasource discovery on", " non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.3-0ubuntu0~25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2114229, 2069607 ], "author": "Chad Smith ", "date": "Thu, 12 Jun 2025 15:05:34 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init-base", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.2-0ubuntu0~25.04.1", "version": "25.1.2-0ubuntu0~25.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.4-0ubuntu0~25.04.1", "version": "25.1.4-0ubuntu0~25.04.1" }, "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2069607, 2114229, 2069607 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * Upstream security bugfix release based on 25.1.4.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog", " - Bugs fixed in this snapshot:", " + fix: disable cloud-init when non-x86 environments have no DMI-data", " and no strict datasources detected (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.4-0ubuntu0~25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2069607 ], "author": "Chad Smith ", "date": "Tue, 24 Jun 2025 15:08:29 -0600" }, { "cves": [ { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only", " share dir (CVE-2024-11584)", " * Upstream security bugfix release based on 25.1.3.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog", " - Bugs fixed in this snapshot:", " - security: make hotplug socket only writable by root (LP: #2114229)", " (CVE-2024-11584)", " - security: make ds-identify behavior strict datasource discovery on", " non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.3-0ubuntu0~25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2114229, 2069607 ], "author": "Chad Smith ", "date": "Thu, 12 Jun 2025 15:05:34 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "coreutils", "from_version": { "source_package_name": "coreutils", "source_package_version": "9.5-1ubuntu1.25.04.1", "version": "9.5-1ubuntu1.25.04.1" }, "to_version": { "source_package_name": "coreutils", "source_package_version": "9.5-1ubuntu1.25.04.2", "version": "9.5-1ubuntu1.25.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2115274 ], "changes": [ { "cves": [], "log": [ "", " * d/p/suppress-permission-denied-errors-on-nfs.patch:", " - Avoid returning permission denied errors when running ls -l when reading", " file attributes. (LP: #2115274)", "" ], "package": "coreutils", "version": "9.5-1ubuntu1.25.04.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2115274 ], "author": "Ghadi Elie Rahme ", "date": "Tue, 24 Jun 2025 17:18:28 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "fdisk", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgv", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu23", "version": "2.4.4-2ubuntu23" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu23.1", "version": "2.4.4-2ubuntu23.1" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2114775 ], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * debian/patches/fix-key-validity-regression-due-to-CVE-2025-", " 30258.patch:", " - Fix a key validity regression following patches for CVE-2025-30258,", " causing trusted \"certify-only\" primary keys to be ignored when checking", " signature on user IDs and computing key validity. This regression makes", " imported keys signed by a trusted \"certify-only\" key have an unknown", " validity (LP: #2114775).", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu23.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2114775 ], "author": "dcpi ", "date": "Thu, 26 Jun 2025 18:13:59 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapparmor1", "from_version": { "source_package_name": "apparmor", "source_package_version": "4.1.0~beta5-0ubuntu14", "version": "4.1.0~beta5-0ubuntu14" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "4.1.0~beta5-0ubuntu14.1", "version": "4.1.0~beta5-0ubuntu14.1" }, "cves": [], "launchpad_bugs_fixed": [ 2110236, 2110616, 2107402, 2107455, 2110628, 2107723, 2110624, 2107596, 2109029, 2110626, 2111807, 2107727, 2110688, 2110630, 2102033 ], "changes": [ { "cves": [], "log": [ "", " * This is an SRU from Questing to Plucky, tracked in LP: #2110236", " * Add patch to allow unprivileged_userns access to root dir", " (LP: #2110616):", " - d/p/u/unprivileged_userns_rootdir.patch", " * Add patch to fix lsblk accesses on IBM System Z systems (LP: #2107402)", " and execution from a confined context (LP: #2107455):", " - d/p/u/lsblk-s390-fixes.patch", " * Add patch to fix execution of various commands from confined contexts", " (LP: #2110628):", " - d/p/u/profiles_ensure_access_to_attach_path.patch", " * Add patch to include new QtWebEngineProcess execution path in", " plasmashell profile (LP: #2107723):", " - d/p/u/plasmashell-QtWebEngineProcess-new-path.patch", " * Add patch to allow /cvmfs fusermounts (LP: #2110624):", " - d/p/u/fusermount3_cvmfs.patch", " * Add patch to grant OpenVPN DNS accesses (LP: #2107596, LP: #2109029):", " - d/p/u/openvpn_dnsfix.patch", " * Add patch to expand allowed fusermount3 flags for fuse_overlayfs and", " sshfs via fstab (LP: #2110626, LP: #2111807):", " - d/p/u/fusermount3_allow_more_flags.patch", " * Add patch to fix permission denials for iotop-c (LP: #2107727):", " - d/p/u/profiles-give-iotop-c-additional-accesses.patch", " * Add patch to fix parser handling of norelatime mount flag", " (LP: #2110688):", " - d/p/u/parser-fix-handling-of-norelatime-mount-rule-flag.patch", " * Add patch to fix incorrect mount rule documentation in the apparmor.d", " man page (LP: #2110630):", " - d/p/u/fix-incorrect-mount-flag-apparmor.d-docs.patch", " * Add patch to add regression tests for the above two patches:", " - d/p/u/regression-verify-documented-mount-flag-behavior.patch", " * d/p/u/remmina_mr_1348.patch, d/p/u/remmina-dbus-describeall.patch:", " move the remmina profile to profiles/apparmor/profiles/extras to", " disable it by default (LP: #2102033)", " * debian/apparmor.install: remove the remmina profile entry", " * debian/apparmor-profiles.install: add an entry for the remmina profile", " * debian/apparmor.maintscript: remove the remmina profile upon upgrade", "" ], "package": "apparmor", "version": "4.1.0~beta5-0ubuntu14.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2110236, 2110616, 2107402, 2107455, 2110628, 2107723, 2110624, 2107596, 2109029, 2110626, 2111807, 2107727, 2110688, 2110630, 2102033 ], "author": "Ryan Lee ", "date": "Wed, 27 May 2025 11:29:02 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "libblkid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.41-6ubuntu1", "version": "2.41-6ubuntu1" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.41-6ubuntu1.2", "version": "2.41-6ubuntu1.2" }, "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" }, { "cve": "CVE-2025-5702", "url": "https://ubuntu.com/security/CVE-2025-5702", "cve_description": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 19:15:00 UTC" }, { "cve": "CVE-2025-5745", "url": "https://ubuntu.com/security/CVE-2025-5745", "cve_description": "The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: double-free in regcomp function", " - debian/patches/any/CVE-2025-8058.patch: fix double-free after", " allocation failure in regcomp in posix/Makefile, posix/regcomp.c,", " posix/tst-regcomp-bracket-free.c.", " - CVE-2025-8058", "" ], "package": "glibc", "version": "2.41-6ubuntu1.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 17 Sep 2025 08:17:39 -0400" }, { "cves": [ { "cve": "CVE-2025-5702", "url": "https://ubuntu.com/security/CVE-2025-5702", "cve_description": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 19:15:00 UTC" }, { "cve": "CVE-2025-5745", "url": "https://ubuntu.com/security/CVE-2025-5745", "cve_description": "The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: insecure power10 strcmp implementation", " - debian/patches/any/CVE-2025-5702.patch: remove power10 optimized", " strcmp.", " - CVE-2025-5702", " * SECURITY UPDATE: insecure power10 strncmp implementation", " - debian/patches/any/CVE-2025-5745.patch: remove power10 optimized", " strncmp.", " - CVE-2025-5745", "" ], "package": "glibc", "version": "2.41-6ubuntu1.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 09 Jul 2025 12:42:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6", "from_version": { "source_package_name": "glibc", "source_package_version": "2.41-6ubuntu1", "version": "2.41-6ubuntu1" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.41-6ubuntu1.2", "version": "2.41-6ubuntu1.2" }, "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" }, { "cve": "CVE-2025-5702", "url": "https://ubuntu.com/security/CVE-2025-5702", "cve_description": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 19:15:00 UTC" }, { "cve": "CVE-2025-5745", "url": "https://ubuntu.com/security/CVE-2025-5745", "cve_description": "The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: double-free in regcomp function", " - debian/patches/any/CVE-2025-8058.patch: fix double-free after", " allocation failure in regcomp in posix/Makefile, posix/regcomp.c,", " posix/tst-regcomp-bracket-free.c.", " - CVE-2025-8058", "" ], "package": "glibc", "version": "2.41-6ubuntu1.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 17 Sep 2025 08:17:39 -0400" }, { "cves": [ { "cve": "CVE-2025-5702", "url": "https://ubuntu.com/security/CVE-2025-5702", "cve_description": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 19:15:00 UTC" }, { "cve": "CVE-2025-5745", "url": "https://ubuntu.com/security/CVE-2025-5745", "cve_description": "The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: insecure power10 strcmp implementation", " - debian/patches/any/CVE-2025-5702.patch: remove power10 optimized", " strcmp.", " - CVE-2025-5702", " * SECURITY UPDATE: insecure power10 strncmp implementation", " - debian/patches/any/CVE-2025-5745.patch: remove power10 optimized", " strncmp.", " - CVE-2025-5745", "" ], "package": "glibc", "version": "2.41-6ubuntu1.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 09 Jul 2025 12:42:08 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfdisk1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgnutls30t64", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.9-2ubuntu3", "version": "3.8.9-2ubuntu3" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.9-2ubuntu3.1", "version": "3.8.9-2ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-32988", "url": "https://ubuntu.com/security/CVE-2025-32988", "cve_description": "A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-32989", "url": "https://ubuntu.com/security/CVE-2025-32989", "cve_description": "A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-32990", "url": "https://ubuntu.com/security/CVE-2025-32990", "cve_description": "A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.", "cve_priority": "medium", "cve_public_date": "2025-07-10 10:15:00 UTC" }, { "cve": "CVE-2025-6395", "url": "https://ubuntu.com/security/CVE-2025-6395", "cve_description": "A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().", "cve_priority": "medium", "cve_public_date": "2025-07-10 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-32988", "url": "https://ubuntu.com/security/CVE-2025-32988", "cve_description": "A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-32989", "url": "https://ubuntu.com/security/CVE-2025-32989", "cve_description": "A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-32990", "url": "https://ubuntu.com/security/CVE-2025-32990", "cve_description": "A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.", "cve_priority": "medium", "cve_public_date": "2025-07-10 10:15:00 UTC" }, { "cve": "CVE-2025-6395", "url": "https://ubuntu.com/security/CVE-2025-6395", "cve_description": "A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().", "cve_priority": "medium", "cve_public_date": "2025-07-10 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: double-free via otherName in the SAN", " - debian/patches/CVE-2025-32988.patch: avoid double free when exporting", " othernames in SAN in lib/x509/extensions.c.", " - CVE-2025-32988", " * SECURITY UPDATE: OOB read via malformed length field in SCT extension", " - debian/patches/CVE-2025-32989.patch: fix read buffer overrun in SCT", " timestamps in lib/x509/x509_ext.c.", " - CVE-2025-32989", " * SECURITY UPDATE: heap write overflow in certtool via invalid template", " - debian/patches/CVE-2025-32990.patch: avoid 1-byte write buffer", " overrun when parsing template in src/certtool-cfg.c,", " tests/cert-tests/Makefile.am, tests/cert-tests/template-test.sh,", " tests/cert-tests/templates/template-too-many-othernames.tmpl.", " - CVE-2025-32990", " * SECURITY UPDATE: NULL deref via missing PSK in TLS 1.3 handshake", " - debian/patches/CVE-2025-6395.patch: clear HSK_PSK_SELECTED when", " resetting binders in lib/handshake.c, lib/state.c, tests/Makefile.am,", " tests/tls13/hello_retry_request_psk.c.", " - CVE-2025-6395", "" ], "package": "gnutls28", "version": "3.8.9-2ubuntu3.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 11 Jul 2025 08:32:46 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmount1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan1", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1", "version": "1.1.2-2ubuntu1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1.1", "version": "1.1.2-2ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083029, 2083029 ], "changes": [ { "cves": [], "log": [ "", " * Add integration tests for `netplan try`", " - d/p/lp2083029/0005-tests-integration-netplan-try.patch", " * Fix networkd file permissions during `netplan try` restore (LP: #2083029)", " - d/p/lp2083029/0006-cli-ConfigManager-must-copy-file-ownership.patch", " * Prevent netplan-generate from running during `netplan try` (LP: #2083029)", " - d/p/lp2083029/0007-generate-Don-t-run-during-netplan-try.patch", "" ], "package": "netplan.io", "version": "1.1.2-2ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2083029, 2083029 ], "author": "Wesley Hershberger ", "date": "Thu, 17 Apr 2025 10:46:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-modules", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4", "version": "1.5.3-7ubuntu4" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.4", "version": "1.5.3-7ubuntu4.4" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" }, { "cve": "CVE-2025-6020", "url": "https://ubuntu.com/security/CVE-2025-6020", "cve_description": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "cve_priority": "medium", "cve_public_date": "2025-06-17 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2087827 ], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:28:47 -0400" }, { "cves": [ { "cve": "CVE-2025-6020", "url": "https://ubuntu.com/security/CVE-2025-6020", "cve_description": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "cve_priority": "medium", "cve_public_date": "2025-06-17 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: privilege escalation via pam_namespace", " - debian/patches/pam_namespace_170.patch: sync pam_namespace module to", " version 1.7.0.", " - debian/patches/pam_namespace_post170-*.patch: add post-1.7.0 changes", " from upstream git tree.", " - debian/patches/pam_namespace_revert_abi.patch: revert ABI change to", " prevent unintended issues in running daemons.", " - debian/patches/CVE-2025-6020-1.patch: fix potential privilege", " escalation.", " - debian/patches/CVE-2025-6020-2.patch: add flags to indicate path", " safety.", " - debian/patches/CVE-2025-6020-3.patch: secure_opendir: do not look at", " the group ownership.", " - debian/patches/pam_namespace_o_directory.patch: removed, included in", " patch cluster above.", " - CVE-2025-6020", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 12 Jun 2025 10:45:28 -0400" }, { "cves": [], "log": [ "", " * d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP: #2087827)", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2087827 ], "author": "Simon Chopin ", "date": "Mon, 26 May 2025 15:33:44 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-modules-bin", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4", "version": "1.5.3-7ubuntu4" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.4", "version": "1.5.3-7ubuntu4.4" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" }, { "cve": "CVE-2025-6020", "url": "https://ubuntu.com/security/CVE-2025-6020", "cve_description": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "cve_priority": "medium", "cve_public_date": "2025-06-17 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2087827 ], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:28:47 -0400" }, { "cves": [ { "cve": "CVE-2025-6020", "url": "https://ubuntu.com/security/CVE-2025-6020", "cve_description": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "cve_priority": "medium", "cve_public_date": "2025-06-17 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: privilege escalation via pam_namespace", " - debian/patches/pam_namespace_170.patch: sync pam_namespace module to", " version 1.7.0.", " - debian/patches/pam_namespace_post170-*.patch: add post-1.7.0 changes", " from upstream git tree.", " - debian/patches/pam_namespace_revert_abi.patch: revert ABI change to", " prevent unintended issues in running daemons.", " - debian/patches/CVE-2025-6020-1.patch: fix potential privilege", " escalation.", " - debian/patches/CVE-2025-6020-2.patch: add flags to indicate path", " safety.", " - debian/patches/CVE-2025-6020-3.patch: secure_opendir: do not look at", " the group ownership.", " - debian/patches/pam_namespace_o_directory.patch: removed, included in", " patch cluster above.", " - CVE-2025-6020", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 12 Jun 2025 10:45:28 -0400" }, { "cves": [], "log": [ "", " * d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP: #2087827)", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2087827 ], "author": "Simon Chopin ", "date": "Mon, 26 May 2025 15:33:44 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-runtime", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4", "version": "1.5.3-7ubuntu4" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.4", "version": "1.5.3-7ubuntu4.4" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" }, { "cve": "CVE-2025-6020", "url": "https://ubuntu.com/security/CVE-2025-6020", "cve_description": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "cve_priority": "medium", "cve_public_date": "2025-06-17 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2087827 ], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:28:47 -0400" }, { "cves": [ { "cve": "CVE-2025-6020", "url": "https://ubuntu.com/security/CVE-2025-6020", "cve_description": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "cve_priority": "medium", "cve_public_date": "2025-06-17 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: privilege escalation via pam_namespace", " - debian/patches/pam_namespace_170.patch: sync pam_namespace module to", " version 1.7.0.", " - debian/patches/pam_namespace_post170-*.patch: add post-1.7.0 changes", " from upstream git tree.", " - debian/patches/pam_namespace_revert_abi.patch: revert ABI change to", " prevent unintended issues in running daemons.", " - debian/patches/CVE-2025-6020-1.patch: fix potential privilege", " escalation.", " - debian/patches/CVE-2025-6020-2.patch: add flags to indicate path", " safety.", " - debian/patches/CVE-2025-6020-3.patch: secure_opendir: do not look at", " the group ownership.", " - debian/patches/pam_namespace_o_directory.patch: removed, included in", " patch cluster above.", " - CVE-2025-6020", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 12 Jun 2025 10:45:28 -0400" }, { "cves": [], "log": [ "", " * d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP: #2087827)", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2087827 ], "author": "Simon Chopin ", "date": "Mon, 26 May 2025 15:33:44 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam0g", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4", "version": "1.5.3-7ubuntu4" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.4", "version": "1.5.3-7ubuntu4.4" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" }, { "cve": "CVE-2025-6020", "url": "https://ubuntu.com/security/CVE-2025-6020", "cve_description": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "cve_priority": "medium", "cve_public_date": "2025-06-17 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2087827 ], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:28:47 -0400" }, { "cves": [ { "cve": "CVE-2025-6020", "url": "https://ubuntu.com/security/CVE-2025-6020", "cve_description": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "cve_priority": "medium", "cve_public_date": "2025-06-17 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: privilege escalation via pam_namespace", " - debian/patches/pam_namespace_170.patch: sync pam_namespace module to", " version 1.7.0.", " - debian/patches/pam_namespace_post170-*.patch: add post-1.7.0 changes", " from upstream git tree.", " - debian/patches/pam_namespace_revert_abi.patch: revert ABI change to", " prevent unintended issues in running daemons.", " - debian/patches/CVE-2025-6020-1.patch: fix potential privilege", " escalation.", " - debian/patches/CVE-2025-6020-2.patch: add flags to indicate path", " safety.", " - debian/patches/CVE-2025-6020-3.patch: secure_opendir: do not look at", " the group ownership.", " - debian/patches/pam_namespace_o_directory.patch: removed, included in", " patch cluster above.", " - CVE-2025-6020", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 12 Jun 2025 10:45:28 -0400" }, { "cves": [], "log": [ "", " * d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP: #2087827)", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2087827 ], "author": "Simon Chopin ", "date": "Mon, 26 May 2025 15:33:44 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.1", "version": "3.13.3-1ubuntu0.1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" }, { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 09:23:40 -0230" }, { "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper", " tar filtering.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517-pre1.patch: Add additional", " tests in ./Lib/test/test_ntpath.py and ./Lib/test/test_posixpath.py.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in", " ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter", " to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and", " unfiltered to ./Lib/tarfile.py. Modify tests.", " - CVE-2024-12718", " - CVE-2025-4138", " - CVE-2025-4330", " - CVE-2025-4435", " - CVE-2025-4517", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 16 Jun 2025 15:45:32 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-stdlib", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.1", "version": "3.13.3-1ubuntu0.1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" }, { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 09:23:40 -0230" }, { "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper", " tar filtering.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517-pre1.patch: Add additional", " tests in ./Lib/test/test_ntpath.py and ./Lib/test/test_posixpath.py.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in", " ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter", " to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and", " unfiltered to ./Lib/tarfile.py. Modify tests.", " - CVE-2024-12718", " - CVE-2025-4138", " - CVE-2025-4330", " - CVE-2025-4435", " - CVE-2025-4517", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 16 Jun 2025 15:45:32 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsmartcols1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsqlite3-0", "from_version": { "source_package_name": "sqlite3", "source_package_version": "3.46.1-3ubuntu0.1", "version": "3.46.1-3ubuntu0.1" }, "to_version": { "source_package_name": "sqlite3", "source_package_version": "3.46.1-3ubuntu0.3", "version": "3.46.1-3ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-7709", "url": "https://ubuntu.com/security/CVE-2025-7709", "cve_description": "An integer overflow exists in the FTS5 https://sqlite.org/fts5.html  extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-09-08 15:15:00 UTC" }, { "cve": "CVE-2025-6965", "url": "https://ubuntu.com/security/CVE-2025-6965", "cve_description": "There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.", "cve_priority": "medium", "cve_public_date": "2025-07-15 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-7709", "url": "https://ubuntu.com/security/CVE-2025-7709", "cve_description": "An integer overflow exists in the FTS5 https://sqlite.org/fts5.html  extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-09-08 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in FTS5 extension", " - debian/patches/CVE-2025-7709.patch: optimize allocation of large", " tombstone arrays in fts5 in ext/fts5/fts5_index.c.", " - CVE-2025-7709", "" ], "package": "sqlite3", "version": "3.46.1-3ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 11 Sep 2025 14:03:41 -0400" }, { "cves": [ { "cve": "CVE-2025-6965", "url": "https://ubuntu.com/security/CVE-2025-6965", "cve_description": "There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.", "cve_priority": "medium", "cve_public_date": "2025-07-15 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Memory corruption via number of aggregate terms", " - debian/patches/CVE-2025-6965.patch: raise an error right away if the", " number of aggregate terms in a query exceeds the maximum number of", " columns in src/expr.c, src/sqliteInt.h.", " - CVE-2025-6965", "" ], "package": "sqlite3", "version": "3.46.1-3ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 18 Jul 2025 10:53:51 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libuuid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-15.15", "version": "6.14.0-15.15" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-32.32", "version": "6.14.0-32.32" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013, 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-32.32", "" ], "package": "linux-meta", "version": "6.14.0-32.32", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 29 Aug 2025 11:56:33 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-30.30", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-30.30", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Wed, 13 Aug 2025 15:25:30 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-28.28", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-28.28", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:09:01 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-27.27", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-27.27", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Tue, 22 Jul 2025 16:57:16 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-26.26", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-26.26", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 11 Jul 2025 14:33:21 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-24.24", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-24.24", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Sun, 15 Jun 2025 12:04:57 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-22.22", "" ], "package": "linux-meta", "version": "6.14.0-22.22", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Wed, 21 May 2025 11:45:42 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-20.20", "" ], "package": "linux-meta", "version": "6.14.0-20.20", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Tue, 20 May 2025 13:38:34 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-17.17", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-17.17", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Thu, 01 May 2025 10:40:31 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "login", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "1:4.16.0-2+really2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "1:4.16.0-2+really2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "mount", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1", "version": "1.1.2-2ubuntu1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1.1", "version": "1.1.2-2ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083029, 2083029 ], "changes": [ { "cves": [], "log": [ "", " * Add integration tests for `netplan try`", " - d/p/lp2083029/0005-tests-integration-netplan-try.patch", " * Fix networkd file permissions during `netplan try` restore (LP: #2083029)", " - d/p/lp2083029/0006-cli-ConfigManager-must-copy-file-ownership.patch", " * Prevent netplan-generate from running during `netplan try` (LP: #2083029)", " - d/p/lp2083029/0007-generate-Don-t-run-during-netplan-try.patch", "" ], "package": "netplan.io", "version": "1.1.2-2ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2083029, 2083029 ], "author": "Wesley Hershberger ", "date": "Thu, 17 Apr 2025 10:46:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1", "version": "1.1.2-2ubuntu1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1.1", "version": "1.1.2-2ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083029, 2083029 ], "changes": [ { "cves": [], "log": [ "", " * Add integration tests for `netplan try`", " - d/p/lp2083029/0005-tests-integration-netplan-try.patch", " * Fix networkd file permissions during `netplan try` restore (LP: #2083029)", " - d/p/lp2083029/0006-cli-ConfigManager-must-copy-file-ownership.patch", " * Prevent netplan-generate from running during `netplan try` (LP: #2083029)", " - d/p/lp2083029/0007-generate-Don-t-run-during-netplan-try.patch", "" ], "package": "netplan.io", "version": "1.1.2-2ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2083029, 2083029 ], "author": "Wesley Hershberger ", "date": "Thu, 17 Apr 2025 10:46:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.2", "version": "1:9.9p1-3ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 08:50:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.2", "version": "1:9.9p1-3ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 08:50:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.2", "version": "1:9.9p1-3ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 08:50:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-2ubuntu0.1", "version": "5.40.1-2ubuntu0.1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-2ubuntu0.2", "version": "5.40.1-2ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: threads race condition in file operations", " - debian/patches/fixes/CVE-2025-40909-metaconfig.diff: check for", " fdopendir in regen-configure/U/perl/d_fdopendir.U.", " - debian/patches/fixes/CVE-2025-40909-1.diff: clone dirhandles without", " fchdir in Configure, Cross/config.sh-arm-linux,", " Cross/config.sh-arm-linux-n770, Porting/Glossary, Porting/config.sh,", " config_h.SH, configure.com, plan9/config_sh.sample, sv.c,", " t/op/threads-dirh.t, win32/config.gc, win32/config.vc.", " - debian/patches/fixes/CVE-2025-40909-2.diff: minor corrections in", " Cross/config.sh-arm-linux, Cross/config.sh-arm-linux-n770,", " config_h.SH,plan9/config_sh.sample.", " - debian/patches/fixes/CVE-2025-40909-3.diff: use PerlLIO_dup_cloexec", " in Perl_dirp_dup to set O_CLOEXEC in sv.c.", " - debian/patches/fixes/CVE-2025-40909-metaconfig-reorder.diff: slightly", " reorder Configure and config_h.SH to match metaconfig output in", " Configure, config_h.SH.", " - CVE-2025-40909", "" ], "package": "perl", "version": "5.40.1-2ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 25 Jul 2025 13:26:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.32.0-0ubuntu5.2", "version": "2.32.0-0ubuntu5.2" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.32.0-0ubuntu5.3", "version": "2.32.0-0ubuntu5.3" }, "cves": [], "launchpad_bugs_fixed": [ 2112466 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: exception during core dump handling (LP: #2112466)", " - d/p/apport-Do-not-hide-FileNotFoundError-during-crash-handlin.patch:", " Do not hide FileNotFoundError during crash handling.", "" ], "package": "apport", "version": "2.32.0-0ubuntu5.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2112466 ], "author": "Octavio Galland ", "date": "Tue, 08 Jul 2025 08:30:58 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.04.16", "version": "1:25.04.16" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.04.18", "version": "1:25.04.18" }, "cves": [], "launchpad_bugs_fixed": [ 2111715, 2110891 ], "changes": [ { "cves": [], "log": [ "", " * On RISC-V check for RVA23U64 compatibility (LP: #2111715)", "" ], "package": "ubuntu-release-upgrader", "version": "1:25.04.18", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111715 ], "author": "Heinrich Schuchardt ", "date": "Mon, 07 Jul 2025 17:03:16 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: prevent upgrades if zfs is being used (LP: #2110891)", " * Run pre-build.sh: updating mirrors and translations.", "" ], "package": "ubuntu-release-upgrader", "version": "1:25.04.17", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2110891 ], "author": "Julian Andres Klode ", "date": "Fri, 06 Jun 2025 18:24:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1", "version": "1.1.2-2ubuntu1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1.1", "version": "1.1.2-2ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083029, 2083029 ], "changes": [ { "cves": [], "log": [ "", " * Add integration tests for `netplan try`", " - d/p/lp2083029/0005-tests-integration-netplan-try.patch", " * Fix networkd file permissions during `netplan try` restore (LP: #2083029)", " - d/p/lp2083029/0006-cli-ConfigManager-must-copy-file-ownership.patch", " * Prevent netplan-generate from running during `netplan try` (LP: #2083029)", " - d/p/lp2083029/0007-generate-Don-t-run-during-netplan-try.patch", "" ], "package": "netplan.io", "version": "1.1.2-2ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2083029, 2083029 ], "author": "Wesley Hershberger ", "date": "Thu, 17 Apr 2025 10:46:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-problem-report", "from_version": { "source_package_name": "apport", "source_package_version": "2.32.0-0ubuntu5.2", "version": "2.32.0-0ubuntu5.2" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.32.0-0ubuntu5.3", "version": "2.32.0-0ubuntu5.3" }, "cves": [], "launchpad_bugs_fixed": [ 2112466 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: exception during core dump handling (LP: #2112466)", " - d/p/apport-Do-not-hide-FileNotFoundError-during-crash-handlin.patch:", " Do not hide FileNotFoundError during crash handling.", "" ], "package": "apport", "version": "2.32.0-0ubuntu5.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2112466 ], "author": "Octavio Galland ", "date": "Tue, 08 Jul 2025 08:30:58 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.3.0-2", "version": "2.3.0-2" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.3.0-2ubuntu0.1", "version": "2.3.0-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2025-50181", "url": "https://ubuntu.com/security/CVE-2025-50181", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.", "cve_priority": "medium", "cve_public_date": "2025-06-19 01:15:00 UTC" }, { "cve": "CVE-2025-50182", "url": "https://ubuntu.com/security/CVE-2025-50182", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.", "cve_priority": "medium", "cve_public_date": "2025-06-19 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-50181", "url": "https://ubuntu.com/security/CVE-2025-50181", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.", "cve_priority": "medium", "cve_public_date": "2025-06-19 01:15:00 UTC" }, { "cve": "CVE-2025-50182", "url": "https://ubuntu.com/security/CVE-2025-50182", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.", "cve_priority": "medium", "cve_public_date": "2025-06-19 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Information disclosure through improperly disabled", " redirects.", " - debian/patches/CVE-2025-50181.patch: Add \"retries\" check and set retries", " to Retry.from_int(retries, redirect=False) as well as set", " raise_on_redirect in ./src/urllib3/poolmanager.py.", " - debian/patches/CVE-2025-50182.patch: Set fetch_data[\"redirect\"] to manual", " when in node.js and add _is_node_js() function in", " ./src/urllib3/contrib/emscripten/fetch.py.", " - CVE-2025-50181", " - CVE-2025-50182", "" ], "package": "python-urllib3", "version": "2.3.0-2ubuntu0.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 23 Jun 2025 14:59:50 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.1", "version": "3.13.3-1ubuntu0.1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" }, { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 09:23:40 -0230" }, { "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper", " tar filtering.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517-pre1.patch: Add additional", " tests in ./Lib/test/test_ntpath.py and ./Lib/test/test_posixpath.py.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in", " ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter", " to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and", " unfiltered to ./Lib/tarfile.py. Modify tests.", " - CVE-2024-12718", " - CVE-2025-4138", " - CVE-2025-4330", " - CVE-2025-4435", " - CVE-2025-4517", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 16 Jun 2025 15:45:32 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.1", "version": "3.13.3-1ubuntu0.1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" }, { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 09:23:40 -0230" }, { "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper", " tar filtering.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517-pre1.patch: Add additional", " tests in ./Lib/test/test_ntpath.py and ./Lib/test/test_posixpath.py.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in", " ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter", " to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and", " unfiltered to ./Lib/tarfile.py. Modify tests.", " - CVE-2024-12718", " - CVE-2025-4138", " - CVE-2025-4330", " - CVE-2025-4435", " - CVE-2025-4517", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 16 Jun 2025 15:45:32 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.67.1+25.04", "version": "2.67.1+25.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.68.5+ubuntu25.04.2", "version": "2.68.5+ubuntu25.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2098137, 2109843, 2104933, 2099709, 2101834, 2089195, 2072987, 1712808, 1966203, 1886414, 2089691 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " -LP: #2109843 fix missing preseed files when running in a container", "" ], "package": "snapd", "version": "2.68.5+ubuntu25.04.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2098137, 2109843 ], "author": "Ernest Lotter ", "date": "Wed, 21 May 2025 17:46:09 +0200" }, { "cves": [], "log": [ "", " - Snap components: LP: #2104933 workaround for classic 24.04/24.10", " models that incorrectly specify core22 instead of core24", " - Update build dependencies", "" ], "package": "snapd", "version": "2.68.4+ubuntu25.04", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2104933 ], "author": "Ernest Lotter ", "date": "Wed, 02 Apr 2025 19:48:25 +0200" }, { "cves": [], "log": [ "", " - FDE: use boot mode for FDE hooks", " - FDE: add snap-bootstrap compatibility check to prevent image", " creation with incompatible snapd and kernel snap", " - FDE: add argon2 out-of-process KDF support", " - FDE: have separate mutex for the sections writing a fresh modeenv", " - FDE: LP: #2099709 update secboot to e07f4ae48e98", " - FDE: LP: #2101834 snapd 2.68+ and snap-bootstrap <2.68 fallback to", " old keyring path", " - Confdb: support pruning ephemeral data and process alternative", " types in order", " - core-initrd: look at env to mount directly to /sysroot", " - core-initrd: prepare for Plucky build and split out 24.10", " (Oracular)", " - Fix Plucky snapd deb build issue related to /var/lib/snapd/void", " permissions", " - Fix snapd deb build complaint about ifneq with extra bracket", " - Fix missing primed packages in snapd snap manifest", " - Interfaces: posix-mq | fix incorrect clobbering of global variable", " and make interface more precise", " - Interfaces: opengl | add more kernel fusion driver files", " - Fix snap-confine type specifier type mismatch on armhf", " - FDE: add support for new and more extensible key format that is", " unified between TPM and FDE hook", " - FDE: add support for adding passphrases during installation", " - FDE: update secboot to 30317622bbbc", " - Snap components: make kernel components available on firstboot", " after either initramfs or ephemeral rootfs style install", " - Snap components: mount drivers tree from initramfs so kernel", " modules are available in early boot stages", " - Snap components: support remodeling to models that contain", " components", " - Snap components: support offline remodeling to models that contain", " components", " - Snap components: support creating new recovery systems with", " components", " - Snap components: support downloading components with 'snap", " download' command", " - Snap components: support sideloading asserted components", " - AppArmor Prompting(experimental): improve version checks and", " handling of listener notification protocol for communication with", " kernel AppArmor", " - AppArmor Prompting(experimental): make prompt replies idempotent,", " and have at most one rule for any given path pattern, with", " potentially mixed outcomes and lifespans", " - AppArmor Prompting(experimental): timeout unresolved prompts after", " a period of client inactivity", " - AppArmor Prompting(experimental): return an error if a patch", " request to the API would result in a rule without any permissions", " - AppArmor Prompting(experimental): warn if there is no prompting", " client present but prompting is enabled, or if a prompting-related", " error occurs during snapd startup", " - AppArmor Prompting(experimental): do not log error when converting", " empty permissions to AppArmor permissions", " - Confdb(experimental): rename registries to confdbs (including API", " /v2/registries => /v2/confdb)", " - Confdb(experimental): support marking confdb schemas as ephemeral", " - Confdb(experimental): add confdb-control assertion and feature", " flag", " - Refresh App Awareness(experimental): LP: #2089195 prevent", " possibility of incorrect notification that snap will quit and", " update", " - Confidential VMs: snap-bootstrap support for loading partition", " information from a manifest file for cloudimg-rootfs mode", " - Confidential VMs: snap-bootstrap support for setting up cloudimg-", " rootfs as an overlayfs with integrity protection", " - dm-verity for essential snaps: add support for snap-integrity", " assertion", " - Interfaces: modify AppArmor template to allow owner read on", " @{PROC}/@{pid}/fdinfo/*", " - Interfaces: LP: #2072987 modify AppArmor template to allow using", " setpriv to run daemon as non-root user", " - Interfaces: add configfiles backend that ensures the state of", " configuration files in the filesystem", " - Interfaces: add ldconfig backend that exposes libraries coming", " from snaps to either the rootfs or to other snaps", " - Interfaces: LP: #1712808 disable udev backend when", " inside a container", " - Interfaces: add auditd-support interface that grants audit_control", " capability and required paths for auditd to function", " - Interfaces: add checkbox-support interface that allows", " unrestricted access to all devices", " - Interfaces: fwupd | allow access to dell bios recovery", " - Interfaces: fwupd | allow access to shim and fallback shim", " - Interfaces: mount-control | add mount option validator to detect", " mount option conflicts early", " - Interfaces: cpu-control | add read access to /sys/kernel/irq/", " - Interfaces: locale-control | changed to be implicit on Ubuntu Core", " Desktop", " - Interfaces: microstack-support | support for utilizing of AMD SEV", " capabilities", " - Interfaces: u2f | added missing OneSpan device product IDs", " - Interfaces: auditd-support | grant seccomp setpriority", " - Interfaces: opengl interface | enable parsing of nvidia driver", " information files", " - Interfaces: mount-control interface | add CIFS support", " - Allow mksquashfs 'xattrs' when packing snap types os, core, base", " and snapd as part of work to support non-root snap-confine", " - Upstream/downstream packaging changes and build updates", " - Improve error logs for malformed desktop files to also show which", " desktop file is at fault", " - Provide more precise error message when overriding channels with", " grade during seed creation", " - Expose 'snap prepare-image' validation parameter", " - Add snap-seccomp 'dump' command that dumps the filter rules from a", " compiled profile", " - Add fallback release info location /etc/initrd-release", " - Added core-initrd to snapd repo and fixed issues with ubuntu-core-", " initramfs deb builds", " - Remove stale robust-mount-namespace-updates experimental feature", " flag", " - Remove snapd-snap experimental feature (rejected) and it's feature", " flag", " - Changed snap-bootstrap to mount base directly on /sysroot", " - Mount ubuntu-seed mounted as no-{suid,exec,dev}", " - Mapping volumes to disks: add support for volume-assignments in", " gadget", " - Fix silently broken binaries produced by distro patchelf 0.14.3 by", " using locally build patchelf 0.18", " - Fix mismatch between listed refresh candidates and actual refresh", " due to outdated validation sets", " - Fix 'snap get' to produce compact listing for tty", " - Fix missing store-url by keeping it as part of auxiliary store", " info", " - Fix snap-confine attempting to retrieve device cgroup setup inside", " container where it is not available", " - Fix 'snap set' and 'snap get' panic on empty strings with early", " error checking", " - Fix logger debug entries to show correct caller and file", " information", " - Fix issue preventing hybrid systems from being seeded on first", " boot", " - LP: #1966203 remove auto-import udev rules not required by deb", " package to avoid unwanted syslog errors", " - LP: #1886414 fix progress reporting when stdout is on a tty, but", " stdin is not", "" ], "package": "snapd", "version": "2.68.3+ubuntu25.04.3", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2099709, 2101834, 2089195, 2072987, 1712808, 1966203, 1886414 ], "author": "Ernest Lotter ", "date": "Mon, 10 Mar 2025 20:13:38 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2089691", " - AppArmor prompting (experimental): allow overlapping rules", " - Registry view (experimental): Changes to registry data (from both", " users and snaps) can be validated and saved by custodian snaps", " - Registry view (experimental): Support 'snapctl get --pristine' to", " read the registry data excluding staged transaction changes", " - Registry view (experimental): Put registry commands behind", " experimental feature flag", " - Components: Make modules shipped/created by kernel-modules", " components available right after reboot", " - Components: Add tab completion for local component files", " - Components: Allow installing snaps and components from local files", " jointly on the CLI", " - Components: Allow 'snapctl model' command for gadget and kernel", " snaps", " - Components: Add 'snap components' command", " - Components: Bug fixes", " - eMMC gadget updates (WIP): add syntax support in gadget.yaml for", " eMMC schema", " - Support for ephemeral recovery mode on hybrid systems", " - Support for dm-verity options in snap-bootstrap", " - Support for overlayfs options and allow empty what argument for", " tmpfs", " - Enable ubuntu-image to determine the size of the disk image to", " create", " - Expose 'snap debug' commands 'validate-seed' and 'seeding'", " - Add debug API option to use dedicated snap socket /run/snapd-", " snap.socket", " - Hide experimental features that are no longer required", " (accepted/rejected)", " - Mount ubuntu-save partition with no{exec,dev,suid} at install, run", " and factory-reset", " - Improve memory controller support with cgroup v2", " - Support ssh socket activation configurations (used by ubuntu", " 22.10+)", " - Fix generation of AppArmor profile with incorrect revision during", " multi snap refresh", " - Fix refresh app awareness related deadlock edge case", " - Fix not caching delta updated snap download", " - Fix passing non root uid, guid to initial tmpfs mount", " - Fix ignoring snaps in try mode when amending", " - Fix reloading of service activation units to avoid systemd errors", " - Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS", " updates PPA", " - Make killing of snap apps best effort to avoid possibility of", " malicious failure loop", " - Alleviate impact of auto-refresh failure loop with progressive", " delay", " - Dropped timedatex in selinux-policy to avoid runtime issue", " - Fix missing syscalls in seccomp profile", " - Modify AppArmor template to allow using SNAP_REEXEC on arch", " systems", " - Modify AppArmor template to allow using vim.tiny (available in", " base snaps)", " - Modify AppArmor template to add read-access to debian_version", " - Modify AppArmor template to allow owner to read", " @{PROC}/@{pid}/sessionid", " - {common,personal,system}-files interface: prohibit trailing @ in", " filepaths", " - {desktop,shutdown,system-observe,upower-observe} interface:", " improve for Ubuntu Core Desktop", " - custom-device interface: allow @ in custom-device filepaths", " - desktop interface: improve launch entry and systray integration", " with session", " - desktop-legacy interface: allow DBus access to", " com.canonical.dbusmenu", " - fwupd interface: allow access to nvmem for thunderbolt plugin", " - mpris interface: add plasmashell as label", " - mount-control interface: add support for nfs mounts", " - network-{control,manager} interface: add missing dbus link rules", " - network-manager-observe interface: add getDevices methods", " - opengl interface: add Kernel Fusion Driver access to opengl", " - screen-inhibit-control interface: improve screen inhibit control", " for use on core", " - udisks2 interface: allow ping of the UDisks2 service", " - u2f-devices interface: add Nitrokey Passkey", "" ], "package": "snapd", "version": "2.67", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2089691 ], "author": "Ernest Lotter ", "date": "Mon, 02 Dec 2024 23:14:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "sudo", "from_version": { "source_package_name": "sudo", "source_package_version": "1.9.16p2-1ubuntu1", "version": "1.9.16p2-1ubuntu1" }, "to_version": { "source_package_name": "sudo", "source_package_version": "1.9.16p2-1ubuntu1.1", "version": "1.9.16p2-1ubuntu1.1" }, "cves": [ { "cve": "CVE-2025-32462", "url": "https://ubuntu.com/security/CVE-2025-32462", "cve_description": "Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.", "cve_priority": "high", "cve_public_date": "2025-06-30 21:15:00 UTC" }, { "cve": "CVE-2025-32463", "url": "https://ubuntu.com/security/CVE-2025-32463", "cve_description": "Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.", "cve_priority": "high", "cve_public_date": "2025-06-30 21:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-32462", "url": "https://ubuntu.com/security/CVE-2025-32462", "cve_description": "Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.", "cve_priority": "high", "cve_public_date": "2025-06-30 21:15:00 UTC" }, { "cve": "CVE-2025-32463", "url": "https://ubuntu.com/security/CVE-2025-32463", "cve_description": "Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.", "cve_priority": "high", "cve_public_date": "2025-06-30 21:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local Privilege Escalation via host option", " - debian/patches/CVE-2025-32462.patch: only allow specifying a host", " when listing privileges.", " - CVE-2025-32462", " * SECURITY UPDATE: Local Privilege Escalation via chroot option", " - debian/patches/CVE-2025-32463.patch: remove user-selected root", " directory chroot option.", " - CVE-2025-32463", "" ], "package": "sudo", "version": "1.9.16p2-1ubuntu1.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 25 Jun 2025 08:09:44 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-drivers-common", "from_version": { "source_package_name": "ubuntu-drivers-common", "source_package_version": "1:0.10.2", "version": "1:0.10.2" }, "to_version": { "source_package_name": "ubuntu-drivers-common", "source_package_version": "1:0.10.2.1", "version": "1:0.10.2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2115537 ], "changes": [ { "cves": [], "log": [ "", " * Clarify gpgpu flag help text (LP: #2115537)", "" ], "package": "ubuntu-drivers-common", "version": "1:0.10.2.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2115537 ], "author": "Mitchell Augustin ", "date": "Tue, 01 Jul 2025 16:47:38 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "35.1ubuntu0", "version": "35.1ubuntu0" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "36ubuntu0~25.04", "version": "36ubuntu0~25.04" }, "cves": [], "launchpad_bugs_fixed": [ 2112382, 2112382, 2111610 ], "changes": [ { "cves": [], "log": [ "", " * Backport 36ubuntu0 to plucky (LP: #2112382)", "" ], "package": "ubuntu-advantage-tools", "version": "36ubuntu0~25.04", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2112382 ], "author": "Renan Rodrigo ", "date": "Tue, 24 Jun 2025 09:20:16 -0300" }, { "cves": [], "log": [ "", " * d/apparmor/ubuntu_pro_esm_cache.jinja2: use openssl abstraction in the", " apparmor profile", " * New upstream release 36: (LP: #2112382)", " - api: display all available valid CVEs", " - attach: relax the onlySeries directive, so users can attach onlySeries", " tokens to all releases older than the target release", " - cli:", " + anbox-cloud: update installation instructions", " + collect-logs: do not overwrite the output file if it exists", " + cve/cves:", " * return all affected packages for a cve (LP: #2111610)", " * handle the case where the vulnerability data doesn't exist for the", " Ubuntu release", " - fips:", " + enable --access-only for all fips related services (GH: #3441)", " + allow enablement even when the -updates pocket is not available in the", " system (GH: #3439)", "" ], "package": "ubuntu-advantage-tools", "version": "36ubuntu0", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2112382, 2111610 ], "author": "Renan Rodrigo ", "date": "Fri, 06 Jun 2025 11:08:26 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.04.16", "version": "1:25.04.16" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.04.18", "version": "1:25.04.18" }, "cves": [], "launchpad_bugs_fixed": [ 2111715, 2110891 ], "changes": [ { "cves": [], "log": [ "", " * On RISC-V check for RVA23U64 compatibility (LP: #2111715)", "" ], "package": "ubuntu-release-upgrader", "version": "1:25.04.18", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111715 ], "author": "Heinrich Schuchardt ", "date": "Mon, 07 Jul 2025 17:03:16 +0200" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: prevent upgrades if zfs is being used (LP: #2110891)", " * Run pre-build.sh: updating mirrors and translations.", "" ], "package": "ubuntu-release-upgrader", "version": "1:25.04.17", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2110891 ], "author": "Julian Andres Klode ", "date": "Fri, 06 Jun 2025 18:24:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1", "version": "2.40.2-14ubuntu1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 1/3] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 2/3] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 3/3] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 15:03:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0967-1ubuntu4", "version": "2:9.1.0967-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0967-1ubuntu4.1", "version": "2:9.1.0967-1ubuntu4.1" }, "cves": [ { "cve": "CVE-2025-53905", "url": "https://ubuntu.com/security/CVE-2025-53905", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" }, { "cve": "CVE-2025-53906", "url": "https://ubuntu.com/security/CVE-2025-53906", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-53905", "url": "https://ubuntu.com/security/CVE-2025-53905", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" }, { "cve": "CVE-2025-53906", "url": "https://ubuntu.com/security/CVE-2025-53906", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path traversal when opening specially crafted tar/zip", " archives.", " - debian/patches/CVE-2025-53905.patch: Replace \"echohl Error\" with call,", " remove leading slashes from name, replace tar_secure with g:tar_secure in", " runtime/autoload/tar.vim.", " - debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w,", " call warning for path traversal attack, and escape leading \"../\" in", " runtime/autoload/zip.vim.", " - CVE-2025-53905", " - CVE-2025-53906", "" ], "package": "vim", "version": "2:9.1.0967-1ubuntu4.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 27 Aug 2025 17:17:04 -0230" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.14.0-32-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-15.15", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-32.32", "version": "6.14.0-32.32" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013, 1786013, 1786013, 1786013, 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-32.32", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-32.32", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 29 Aug 2025 11:56:13 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-30.30", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-30.30", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Wed, 13 Aug 2025 15:25:59 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-28.28", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-28.28", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:08:28 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-27.27", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-27.27", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Tue, 22 Jul 2025 16:46:56 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-26.26", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-26.26", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 11 Jul 2025 14:32:35 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-24.24", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-24.24", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Sun, 15 Jun 2025 12:05:34 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-22.22", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-22.22", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Wed, 21 May 2025 11:44:20 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-20.20", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-20.20", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Tue, 20 May 2025 13:38:19 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-17.17", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-17.17", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Thu, 01 May 2025 10:41:20 +0300" } ], "notes": "linux-image-6.14.0-32-generic version '6.14.0-32.32' (source package linux-signed version '6.14.0-32.32') was added. linux-image-6.14.0-32-generic version '6.14.0-32.32' has the same source package name, linux-signed, as removed package linux-image-6.14.0-15-generic. As such we can use the source package version of the removed package, '6.14.0-15.15', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-32-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-15.15", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.14.0-32.32", "version": "6.14.0-32.32" }, "cves": [ { "cve": "CVE-2025-38105", "url": "https://ubuntu.com/security/CVE-2025-38105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(), so that the timer can be killed properly. While we're at it, replace the existing timer_delete_sync() at the disconnect callback with timer_shutdown_sync(), too.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38114", "url": "https://ubuntu.com/security/CVE-2025-38114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: e1000: Move cancel_work_sync to avoid deadlock Previously, e1000_down called cancel_work_sync for the e1000 reset task (via e1000_down_and_stop), which takes RTNL. As reported by users and syzbot, a deadlock is possible in the following scenario: CPU 0: - RTNL is held - e1000_close - e1000_down - cancel_work_sync (cancel / wait for e1000_reset_task()) CPU 1: - process_one_work - e1000_reset_task - take RTNL To remedy this, avoid calling cancel_work_sync from e1000_down (e1000_reset_task does nothing if the device is down anyway). Instead, call cancel_work_sync for e1000_reset_task when the device is being removed.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38116", "url": "https://ubuntu.com/security/CVE-2025-38116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequent access to this notifier chain. Fixes the issue by calling ath12k_core_panic_notifier_unregister() in failure cases. Call trace: notifier_chain_register+0x4c/0x1f0 (P) atomic_notifier_chain_register+0x38/0x68 ath12k_core_init+0x50/0x4e8 [ath12k] ath12k_pci_probe+0x5f8/0xc28 [ath12k] pci_device_probe+0xbc/0x1a8 really_probe+0xc8/0x3a0 __driver_probe_device+0x84/0x1b0 driver_probe_device+0x44/0x130 __driver_attach+0xcc/0x208 bus_for_each_dev+0x84/0x100 driver_attach+0x2c/0x40 bus_add_driver+0x130/0x260 driver_register+0x70/0x138 __pci_register_driver+0x68/0x80 ath12k_pci_init+0x30/0x68 [ath12k] ath12k_init+0x28/0x78 [ath12k] Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38306", "url": "https://ubuntu.com/security/CVE-2025-38306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/fhandle.c: fix a race in call of has_locked_children() may_decode_fh() is calling has_locked_children() while holding no locks. That's an oopsable race... The rest of the callers are safe since they are holding namespace_sem and are guaranteed a positive refcount on the mount in question. Rename the current has_locked_children() to __has_locked_children(), make it static and switch the fs/namespace.c users to it. Make has_locked_children() a wrapper for __has_locked_children(), calling the latter under read_seqlock_excl(&mount_lock).", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38272", "url": "https://ubuntu.com/security/CVE-2025-38272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. If one of these PHYs are EEE capable, we may try to enable EEE for the MACs, which then hangs the system on access of the (non-existent) EEE registers. Fix this by checking if the switch actually supports EEE before attempting to configure it.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38311", "url": "https://ubuntu.com/security/CVE-2025-38311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock. That frees us from the error prone logic of try_locks. Thanks to netdev_lock() by Jakub it is now easy, and in most cases we were protected by it already - replace crit lock by netdev lock when it was not the case. Lockdep reports that we should cancel the work under crit_lock [splat1], and that was the scheme we have mostly followed since [1] by Slawomir. But when that is done we still got into deadlocks [splat2]. So instead we should look at the bigger problem, namely \"weird locking/scheduling\" of the iavf. The first step to fix that is to remove the crit lock. I will followup with a -next series that simplifies scheduling/tasks. Cancel the work without netdev lock (weird unlock+lock scheme), to fix the [splat2] (which would be totally ugly if we would kept the crit lock). Extend protected part of iavf_watchdog_task() to include scheduling more work. Note that the removed comment in iavf_reset_task() was misplaced, it belonged to inside of the removed if condition, so it's gone now. [splat1] - w/o this patch - The deadlock during VF removal: WARNING: possible circular locking dependency detected sh/3825 is trying to acquire lock: ((work_completion)(&(&adapter->watchdog_task)->work)){+.+.}-{0:0}, at: start_flush_work+0x1a1/0x470 but task is already holding lock: (&adapter->crit_lock){+.+.}-{4:4}, at: iavf_remove+0xd1/0x690 [iavf] which lock already depends on the new lock. [splat2] - when cancelling work under crit lock, w/o this series, \t see [2] for the band aid attempt WARNING: possible circular locking dependency detected sh/3550 is trying to acquire lock: ((wq_completion)iavf){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: (&dev->lock){+.+.}-{4:4}, at: iavf_remove+0xa6/0x6e0 [iavf] which lock already depends on the new lock. [1] fc2e6b3b132a (\"iavf: Rework mutexes for better synchronisation\") [2] https://github.com/pkitszel/linux/commit/52dddbfc2bb60294083f5711a158a", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38128", "url": "https://ubuntu.com/security/CVE-2025-38128", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands In 'mgmt_hci_cmd_sync()', check whether the size of parameters passed in 'struct mgmt_cp_hci_cmd_sync' matches the total size of the data (i.e. 'sizeof(struct mgmt_cp_hci_cmd_sync)' plus trailing bytes). Otherwise, large invalid 'params_len' will cause 'hci_cmd_sync_alloc()' to do 'skb_put_data()' from an area beyond the one actually passed to 'mgmt_hci_cmd_sync()'.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38130", "url": "https://ubuntu.com/security/CVE-2025-38130", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/connector: only call HDMI audio helper plugged cb if non-null On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb with NULL as the callback function and codec_dev, as seen in its hdmi_remove function. The HDMI audio helper then happily tries calling said null function pointer, and produces an Oops as a result. Fix this by only executing the callback if fn is non-null. This means the .plugged_cb and .plugged_cb_dev members still get appropriately cleared.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38132", "url": "https://ubuntu.com/security/CVE-2025-38132", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() cscfg_remove_owned_csdev_configs() // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) iterating config_csdev_list could be raced with config_csdev_list's entry delete. To resolve this race , hold csdev->cscfg_csdev_lock() while cscfg_remove_owned_csdev_configs()", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38137", "url": "https://ubuntu.com/security/CVE-2025-38137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Cancel outstanding rescan work when unregistering It's possible to trigger use-after-free here by: (a) forcing rescan_work_func() to take a long time and (b) utilizing a pwrctrl driver that may be unloaded for some reason Cancel outstanding work to ensure it is finished before we allow our data structures to be cleaned up. [bhelgaas: tidy commit log]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38139", "url": "https://ubuntu.com/security/CVE-2025-38139", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfs: Fix oops in write-retry from mis-resetting the subreq iterator Fix the resetting of the subrequest iterator in netfs_retry_write_stream() to use the iterator-reset function as the iterator may have been shortened by a previous retry. In such a case, the amount of data to be written by the subrequest is not \"subreq->len\" but \"subreq->len - subreq->transferred\". Without this, KASAN may see an error in iov_iter_revert(): BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147 CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound netfs_write_collection_worker Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 iov_iter_revert lib/iov_iter.c:633 [inline] iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline] netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231 netfs_collect_write_results fs/netfs/write_collect.c:352 [inline] netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38140", "url": "https://ubuntu.com/security/CVE-2025-38140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: limit swapping tables for devices with zone write plugs dm_revalidate_zones() only allowed new or previously unzoned devices to call blk_revalidate_disk_zones(). If the device was already zoned, disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones() returned without doing any work. This would make the zoned settings for the device not match the new table. If the device had zone write plug resources, it could run into errors like bdev_zone_is_seq() reading invalid memory because disk->conv_zones_bitmap was the wrong size. If the device doesn't have any zone write plug resources, calling blk_revalidate_disk_zones() will always correctly update device. If blk_revalidate_disk_zones() fails, it can still overwrite or clear the current disk->nr_zones value. In this case, DM must restore the previous value of disk->nr_zones, so that the zoned settings will continue to match the previous value that it fell back to. If the device already has zone write plug resources, blk_revalidate_disk_zones() will not correctly update them, if it is called for arbitrary zoned device changes. Since there is not much need for this ability, the easiest solution is to disallow any table reloads that change the zoned settings, for devices that already have zone plug resources. Specifically, if a device already has zone plug resources allocated, it can only switch to another zoned table that also emulates zone append. Also, it cannot change the device size or the zone size. A device can switch to an error target.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38279", "url": "https://ubuntu.com/security/CVE-2025-38279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Do not include stack ptr register in precision backtracking bookkeeping Yi Lai reported an issue ([1]) where the following warning appears in kernel dmesg: [ 60.643604] verifier backtracking bug [ 60.643635] WARNING: CPU: 10 PID: 2315 at kernel/bpf/verifier.c:4302 __mark_chain_precision+0x3a6c/0x3e10 [ 60.648428] Modules linked in: bpf_testmod(OE) [ 60.650471] CPU: 10 UID: 0 PID: 2315 Comm: test_progs Tainted: G OE 6.15.0-rc4-gef11287f8289-dirty #327 PREEMPT(full) [ 60.654385] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 60.656682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 60.660475] RIP: 0010:__mark_chain_precision+0x3a6c/0x3e10 [ 60.662814] Code: 5a 30 84 89 ea e8 c4 d9 01 00 80 3d 3e 7d d8 04 00 0f 85 60 fa ff ff c6 05 31 7d d8 04 01 48 c7 c7 00 58 30 84 e8 c4 06 a5 ff <0f> 0b e9 46 fa ff ff 48 ... [ 60.668720] RSP: 0018:ffff888116cc7298 EFLAGS: 00010246 [ 60.671075] RAX: 54d70e82dfd31900 RBX: ffff888115b65e20 RCX: 0000000000000000 [ 60.673659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 00000000ffffffff [ 60.676241] RBP: 0000000000000400 R08: ffff8881f6f23bd3 R09: 1ffff1103ede477a [ 60.678787] R10: dffffc0000000000 R11: ffffed103ede477b R12: ffff888115b60ae8 [ 60.681420] R13: 1ffff11022b6cbc4 R14: 00000000fffffff2 R15: 0000000000000001 [ 60.684030] FS: 00007fc2aedd80c0(0000) GS:ffff88826fa8a000(0000) knlGS:0000000000000000 [ 60.686837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 60.689027] CR2: 000056325369e000 CR3: 000000011088b002 CR4: 0000000000370ef0 [ 60.691623] Call Trace: [ 60.692821] [ 60.693960] ? __pfx_verbose+0x10/0x10 [ 60.695656] ? __pfx_disasm_kfunc_name+0x10/0x10 [ 60.697495] check_cond_jmp_op+0x16f7/0x39b0 [ 60.699237] do_check+0x58fa/0xab10 ... Further analysis shows the warning is at line 4302 as below: 4294 /* static subprog call instruction, which 4295 * means that we are exiting current subprog, 4296 * so only r1-r5 could be still requested as 4297 * precise, r0 and r6-r10 or any stack slot in 4298 * the current frame should be zero by now 4299 */ 4300 if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) { 4301 verbose(env, \"BUG regs %x\\n\", bt_reg_mask(bt)); 4302 WARN_ONCE(1, \"verifier backtracking bug\"); 4303 return -EFAULT; 4304 } With the below test (also in the next patch): __used __naked static void __bpf_jmp_r10(void) { \tasm volatile ( \t\"r2 = 2314885393468386424 ll;\" \t\"goto +0;\" \t\"if r2 <= r10 goto +3;\" \t\"if r1 >= -1835016 goto +0;\" \t\"if r2 <= 8 goto +0;\" \t\"if r3 <= 0 goto +0;\" \t\"exit;\" \t::: __clobber_all); } SEC(\"?raw_tp\") __naked void bpf_jmp_r10(void) { \tasm volatile ( \t\"r3 = 0 ll;\" \t\"call __bpf_jmp_r10;\" \t\"r0 = 0;\" \t\"exit;\" \t::: __clobber_all); } The following is the verifier failure log: 0: (18) r3 = 0x0 ; R3_w=0 2: (85) call pc+2 caller: R10=fp0 callee: frame1: R1=ctx() R3_w=0 R10=fp0 5: frame1: R1=ctx() R3_w=0 R10=fp0 ; asm volatile (\" \\ @ verifier_precision.c:184 5: (18) r2 = 0x20202000256c6c78 ; frame1: R2_w=0x20202000256c6c78 7: (05) goto pc+0 8: (bd) if r2 <= r10 goto pc+3 ; frame1: R2_w=0x20202000256c6c78 R10=fp0 9: (35) if r1 >= 0xffe3fff8 goto pc+0 ; frame1: R1=ctx() 10: (b5) if r2 <= 0x8 goto pc+0 mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1 mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0 mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3 mark_preci ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38314", "url": "https://ubuntu.com/security/CVE-2025-38314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Fix result size returned for the admin command completion The result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes larger than the actual result data size. This occurs because the result_sg_size field of the command is filled with the result length from virtqueue_get_buf(), which includes both the data size and an additional 8 bytes of status. This oversized result size causes two issues: 1. The state transferred to the destination includes 8 bytes of extra data at the end. 2. The allocated buffer in the kernel may be smaller than the returned size, leading to failures when reading beyond the allocated size. The commit fixes this by subtracting the status size from the result of virtqueue_get_buf(). This fix has been tested through live migrations with virtio-net, virtio-net-transitional, and virtio-blk devices.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38316", "url": "https://ubuntu.com/security/CVE-2025-38316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor() The function mt7996_set_monitor() dereferences phy before the NULL sanity check. Fix this to avoid NULL pointer dereference by moving the dereference after the check.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38281", "url": "https://ubuntu.com/security/CVE-2025-38281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt7996_thermal_init() is not checked. Add NULL check in mt7996_thermal_init(), to handle kernel NULL pointer dereference error.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38284", "url": "https://ubuntu.com/security/CVE-2025-38284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA. With NULL mmap address, kernel throws trace: BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38287", "url": "https://ubuntu.com/security/CVE-2025-38287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. The cm_id lock is not needed in this case, but a recent change re-used cm_free_priv_msg(), which asserts that the lock is held and WARNs if the cm_id's currently outstanding msg is different than the one being freed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38289", "url": "https://ubuntu.com/security/CVE-2025-38289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling. Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38291", "url": "https://ubuntu.com/security/CVE-2025-38291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace. Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery. Call Trace: dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k] ? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k] _raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_htc_send+0x178/0x390 [ath12k] ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k] ath12k_wmi_cmd_send+0x62/0x190 [ath12k] ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1 ath12k_mac_op_get_survey+0x2be/0x310 [ath12k] ieee80211_dump_survey+0x99/0x240 [mac80211] nl80211_dump_survey+0xe7/0x470 [cfg80211] ? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211] ? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 ____sys_sendmsg+0x1e4/0x260 ___sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38294", "url": "https://ubuntu.com/security/CVE-2025-38294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix NULL access in assign channel context handler Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid radio handle access by moving to the hardware debug logging helper function (ath12k_hw_warn). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38296", "url": "https://ubuntu.com/security/CVE-2025-38296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: platform_profile: Avoid initializing on non-ACPI platforms The platform profile driver is loaded even on platforms that do not have ACPI enabled. The initialization of the sysfs entries was recently moved from platform_profile_register() to the module init call, and those entries need acpi_kobj to be initialized which is not the case when ACPI is disabled. This results in the following warning: WARNING: CPU: 5 PID: 1 at fs/sysfs/group.c:131 internal_create_group+0xa22/0xdd8 Modules linked in: CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.15.0-rc7-dirty #6 PREEMPT Tainted: [W]=WARN Hardware name: riscv-virtio,qemu (DT) epc : internal_create_group+0xa22/0xdd8 ra : internal_create_group+0xa22/0xdd8 Call Trace: internal_create_group+0xa22/0xdd8 sysfs_create_group+0x22/0x2e platform_profile_init+0x74/0xb2 do_one_initcall+0x198/0xa9e kernel_init_freeable+0x6d8/0x780 kernel_init+0x28/0x24c ret_from_fork+0xe/0x18 Fix this by checking if ACPI is enabled before trying to create sysfs entries. [ rjw: Subject and changelog edits ]", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38100", "url": "https://ubuntu.com/security/CVE-2025-38100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38101", "url": "https://ubuntu.com/security/CVE-2025-38101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38267", "url": "https://ubuntu.com/security/CVE-2025-38267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that it should never have missed events. If it does, it triggers a WARN_ON_ONCE(). But there just happens to be one scenario where this can legitimately happen. That is on a commit_overrun. A commit overrun is when an interrupt preempts an event being written to the buffer and then the interrupt adds so many new events that it fills and wraps the buffer back to the commit. Any new events would then be dropped and be reported as \"missed_events\". In this case, the next page to read is the commit buffer and after the swap of the reader page, the reader page will be the commit buffer, but this time there will be missed events and this triggers the following warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace: ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90 irq event stamp: 5080 hardirqs last enabled at (5079): [] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [] __irq_exit_rcu+0x107/0x210 ---[ end trace 0000000000000000 ]--- The above was triggered by running on a kernel with both lockdep and KASAN as well as kmemleak enabled and executing the following command: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 With perf interjecting a lot of interrupts and trace-cmd enabling all events as well as function tracing, with lockdep, KASAN and kmemleak enabled, it could cause an interrupt preempting an event being written to add enough event ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38268", "url": "https://ubuntu.com/security/CVE-2025-38268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below: [110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20 [110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20 Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38102", "url": "https://ubuntu.com/security/CVE-2025-38102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace: follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]--- Digging into the source, context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow: cpu0\t\t\tcpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page \t\t\tvmci_host_do_set_notify \t\t\tvmci_ctx_unset_notify \t\t\tnotify_page = context->notify_page; \t\t\tif (notify_page) \t\t\tput_page(notify_page);\t// page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here To slove this, use local variable page to make notify_page can be seen after finish get_user_pages_fast.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38301", "url": "https://ubuntu.com/security/CVE-2025-38301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 (\"nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup\") changed the driver to expect the device pointer to be passed as the \"context\", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38352", "url": "https://ubuntu.com/security/CVE-2025-38352", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.", "cve_priority": "high", "cve_public_date": "2025-07-22 08:15:00 UTC" }, { "cve": "CVE-2025-38103", "url": "https://ubuntu.com/security/CVE-2025-38103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38302", "url": "https://ubuntu.com/security/CVE-2025-38302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work Bios queued up in the zone write plug have already gone through all all preparation in the submit_bio path, including the freeze protection. Submitting them through submit_bio_noacct_nocheck duplicates the work and can can cause deadlocks when freezing a queue with pending bio write plugs. Go straight to ->submit_bio or blk_mq_submit_bio to bypass the superfluous extra freeze protection and checks.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38106", "url": "https://ubuntu.com/security/CVE-2025-38106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xd0/0x670 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __io_uring_show_fdinfo+0x9fe/0x1790 ? ksys_read+0xf7/0x1c0 ? do_syscall_64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? __pfx___io_uring_show_fdinfo+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 ? mutex_trylock+0xcf/0x130 ? __pfx_mutex_trylock+0x10/0x10 ? __pfx_show_fd_locks+0x10/0x10 ? io_uring_show_fdinfo+0x57/0x80 io_uring_show_fdinfo+0x57/0x80 seq_show+0x38c/0x690 seq_read_iter+0x3f7/0x1180 ? inode_set_ctime_current+0x160/0x4b0 seq_read+0x271/0x3e0 ? __pfx_seq_read+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? __mark_inode_dirty+0x402/0x810 ? selinux_file_permission+0x368/0x500 ? file_update_time+0x10f/0x160 vfs_read+0x177/0xa40 ? __pfx___handle_mm_fault+0x10/0x10 ? __pfx_vfs_read+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfx_mutex_lock+0x10/0x10 ? fdget_pos+0x24d/0x4b0 ksys_read+0xf7/0x1c0 ? __pfx_ksys_read+0x10/0x10 ? do_user_addr_fault+0x43b/0x9c0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 298: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_node_noprof+0xe8/0x330 copy_process+0x376/0x5e00 create_io_thread+0xab/0xf0 io_sq_offload_create+0x9ed/0xf20 io_uring_setup+0x12b0/0x1cc0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 22: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0xc4/0x360 rcu_core+0x5ff/0x19f0 handle_softirqs+0x18c/0x530 run_ksoftirqd+0x20/0x30 smpboot_thread_fn+0x287/0x6c0 kthread+0x30d/0x630 ret_from_fork+0xef/0x1a0 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __call_rcu_common.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __cond_resched+0x4c/0x80 mutex_lock+0x5c/0xe0 io_uring_del_tctx_node+0xe1/0x2b0 io_uring_clean_tctx+0xb7/0x160 io_uring_cancel_generic+0x34e/0x760 do_exit+0x240/0x2350 do_group_exit+0xab/0x220 __x64_sys_exit_group+0x39/0x40 x64_sys_call+0x1243/0x1840 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980) which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre relase or exit of sq->thread. Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38269", "url": "https://ubuntu.com/security/CVE-2025-38269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38270", "url": "https://ubuntu.com/security/CVE-2025-38270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: drv: netdevsim: don't napi_complete() from netpoll netdevsim supports netpoll. Make sure we don't call napi_complete() from it, since it may not be scheduled. Breno reports hitting a warning in napi_complete_done(): WARNING: CPU: 14 PID: 104 at net/core/dev.c:6592 napi_complete_done+0x2cc/0x560 __napi_poll+0x2d8/0x3a0 handle_softirqs+0x1fe/0x710 This is presumably after netpoll stole the SCHED bit prematurely.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38107", "url": "https://ubuntu.com/security/CVE-2025-38107", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38108", "url": "https://ubuntu.com/security/CVE-2025-38108", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38109", "url": "https://ubuntu.com/security/CVE-2025-38109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core] [] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core] [] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core] [] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core] [] mlx5_sriov_detach+0x40/0x50 [mlx5_core] [] mlx5_unload+0x40/0xc4 [mlx5_core] [] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core] [] mlx5_unload_one+0x3c/0x60 [mlx5_core] [] shutdown+0x7c/0xa4 [mlx5_core] [] pci_device_shutdown+0x3c/0xa0 [] device_shutdown+0x170/0x340 [] __do_sys_reboot+0x1f4/0x2a0 [] __arm64_sys_reboot+0x2c/0x40 [] invoke_syscall+0x78/0x100 [] el0_svc_common.constprop.0+0x54/0x184 [] do_el0_svc+0x30/0xac [] el0_svc+0x48/0x160 [] el0t_64_sync_handler+0xa4/0x12c [] el0t_64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38303", "url": "https://ubuntu.com/security/CVE-2025-38303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38304", "url": "https://ubuntu.com/security/CVE-2025-38304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38110", "url": "https://ubuntu.com/security/CVE-2025-38110", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38111", "url": "https://ubuntu.com/security/CVE-2025-38111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38112", "url": "https://ubuntu.com/security/CVE-2025-38112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereference. Ensure the function pointer does not turn NULL after the check.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38113", "url": "https://ubuntu.com/security/CVE-2025-38113", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8 ... [ 0.403255] [] cppc_allow_fast_switch+0x6a/0xd4 ... Kernel panic - not syncing: Attempted to kill init! [ rjw: New subject ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38088", "url": "https://ubuntu.com/security/CVE-2025-38088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size.", "cve_priority": "medium", "cve_public_date": "2025-06-30 08:15:00 UTC" }, { "cve": "CVE-2025-38115", "url": "https://ubuntu.com/security/CVE-2025-38115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K to-lb tso off # force qdisc to requeue gso_skb ip netns exec lb ethtool -K in-lb gro on # enable NAPI ip link set dev to-lb up ip -netns lb link set dev in-lb up ip addr add dev to-lb 192.168.20.1/24 ip -netns lb addr add dev in-lb 192.168.20.2/24 tc qdisc replace dev to-lb root sfq limit 100 ip netns exec lb netserver netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 &", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38414", "url": "https://ubuntu.com/security/CVE-2025-38414", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash on some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to register table to allow different definitions. Then correct the register address for WCN7850 to fix this issue. Note IPQ5332 is not affected as it is not PCIe based device. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-25 14:15:00 UTC" }, { "cve": "CVE-2025-38305", "url": "https://ubuntu.com/security/CVE-2025-38305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38117", "url": "https://ubuntu.com/security/CVE-2025-38117", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379 hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223 pending_find net/bluetooth/mgmt.c:947 [inline] remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445 hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x25c/0x378 net/socket.c:1131 new_sync_write fs/read_write.c:591 [inline] vfs_write+0x62c/0x97c fs/read_write.c:684 ksys_write+0x120/0x210 fs/read_write.c:736 __do_sys_write fs/read_write.c:747 [inline] __se_sys_write fs/read_write.c:744 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:744 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 7037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198 sk_alloc+0x44/0x3ac net/core/sock.c:2254 bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148 hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202 bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132 __sock_create+0x43c/0x91c net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0xd4/0x1c0 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1695 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6607: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38118", "url": "https://ubuntu.com/security/CVE-2025-38118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38119", "url": "https://ubuntu.com/security/CVE-2025-38119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has been called instead of before. Backtrace: __switch_to+0x174/0x338 __schedule+0x600/0x9e4 schedule+0x7c/0xe8 schedule_timeout+0xa4/0x1c8 io_schedule_timeout+0x48/0x70 wait_for_common_io+0xa8/0x160 //waiting on START_STOP wait_for_completion_io_timeout+0x10/0x20 blk_execute_rq+0xe4/0x1e4 scsi_execute_cmd+0x108/0x244 ufshcd_set_dev_pwr_mode+0xe8/0x250 __ufshcd_wl_resume+0x94/0x354 ufshcd_wl_runtime_resume+0x3c/0x174 scsi_runtime_resume+0x64/0xa4 rpm_resume+0x15c/0xa1c __pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing ufshcd_err_handler+0x1a0/0xd08 process_one_work+0x174/0x808 worker_thread+0x15c/0x490 kthread+0xf4/0x1ec ret_from_fork+0x10/0x20 [ bvanassche: rewrote patch description ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38307", "url": "https://ubuntu.com/security/CVE-2025-38307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element at index 0 ends with null-ptr-deref.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38310", "url": "https://ubuntu.com/security/CVE-2025-38310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38120", "url": "https://ubuntu.com/security/CVE-2025-38120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38122", "url": "https://ubuntu.com/security/CVE-2025-38122", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fails. This improves robustness in low-memory scenarios.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38123", "url": "https://ubuntu.com/security/CVE-2025-38123", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix napi rx poll issue When driver handles the napi rx polling requests, the netdev might have been released by the dellink logic triggered by the disconnect operation on user plane. However, in the logic of processing skb in polling, an invalid netdev is still being used, which causes a panic. BUG: kernel NULL pointer dereference, address: 00000000000000f1 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:dev_gro_receive+0x3a/0x620 [...] Call Trace: ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)] ? dev_gro_receive+0x3a/0x620 napi_gro_receive+0xad/0x170 t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)] t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)] net_rx_action+0x103/0x470 irq_exit_rcu+0x13a/0x310 sysvec_apic_timer_interrupt+0x56/0x90 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38124", "url": "https://ubuntu.com/security/CVE-2025-38124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after pull from frag_list\") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38125", "url": "https://ubuntu.com/security/CVE-2025-38125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38126", "url": "https://ubuntu.com/security/CVE-2025-38126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38127", "url": "https://ubuntu.com/security/CVE-2025-38127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: fix Tx scheduler error handling in XDP callback When the XDP program is loaded, the XDP callback adds new Tx queues. This means that the callback must update the Tx scheduler with the new queue number. In the event of a Tx scheduler failure, the XDP callback should also fail and roll back any changes previously made for XDP preparation. The previous implementation had a bug that not all changes made by the XDP callback were rolled back. This caused the crash with the following call trace: [ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5 [ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI [ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary) [ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 [ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice] [...] [ +0.002715] Call Trace: [ +0.002452] [ +0.002021] ? __die_body.cold+0x19/0x29 [ +0.003922] ? die_addr+0x3c/0x60 [ +0.003319] ? exc_general_protection+0x17c/0x400 [ +0.004707] ? asm_exc_general_protection+0x26/0x30 [ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice] [ +0.004835] ice_napi_poll+0x665/0x680 [ice] [ +0.004320] __napi_poll+0x28/0x190 [ +0.003500] net_rx_action+0x198/0x360 [ +0.003752] ? update_rq_clock+0x39/0x220 [ +0.004013] handle_softirqs+0xf1/0x340 [ +0.003840] ? sched_clock_cpu+0xf/0x1f0 [ +0.003925] __irq_exit_rcu+0xc2/0xe0 [ +0.003665] common_interrupt+0x85/0xa0 [ +0.003839] [ +0.002098] [ +0.002106] asm_common_interrupt+0x26/0x40 [ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690 Fix this by performing the missing unmapping of XDP queues from q_vectors and setting the XDP rings pointer back to NULL after all those queues are released. Also, add an immediate exit from the XDP callback in case of ring preparation failure.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38129", "url": "https://ubuntu.com/security/CVE-2025-38129", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool \t\t\t\tpage_pool_release \t\t\t\t page_pool_scrub \t\t\t\t page_pool_empty_ring \t\t\t\t ptr_ring_consume \t\t\t\t page_pool_return_page //release all page \t\t\t\t __page_pool_destroy \t\t\t\t free_percpu(pool->recycle_stats); \t\t\t\t free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38131", "url": "https://ubuntu.com/security/CVE-2025-38131", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() unload module // access to config_desc which freed // while unloading module. cscfg_csdev_enable_config To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38274", "url": "https://ubuntu.com/security/CVE-2025-38274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt using kunit_kzalloc() however it does not check if the allocation failed. It then passes sgt to sg_alloc_table(), which passes it to __sg_alloc_table(). This function calls memset() on sgt in an attempt to zero it out. If the allocation fails then sgt will be NULL and the memset will trigger a NULL pointer dereference. Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38134", "url": "https://ubuntu.com/security/CVE-2025-38134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() As demonstrated by the fix for update_port_device_state, commit 12783c0b9e2c (\"usb: core: Prevent null pointer dereference in update_port_device_state\"), usb_hub_to_struct_hub() can return NULL in certain scenarios, such as during hub driver unbind or teardown race conditions, even if the underlying usb_device structure exists. Plus, all other places that call usb_hub_to_struct_hub() in the same file do check for NULL return values. If usb_hub_to_struct_hub() returns NULL, the subsequent access to hub->ports[udev->portnum - 1] will cause a null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38135", "url": "https://ubuntu.com/security/CVE-2025-38135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38136", "url": "https://ubuntu.com/security/CVE-2025-38136", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_clock_ctrl() usbhs_bset() usbhs_write() iowrite16() <-- Register access before enabling clocks Since `iowrite16()` is performed without ensuring the required clocks are enabled, this can lead to access errors. To fix this, enable PM runtime early in the probe function and ensure clocks are acquired before register access, preventing crashes like the following on RZ/V2H: [13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP [13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 [13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 [13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) [13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] [13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] [13.321138] sp : ffff8000827e3850 [13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 [13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 [13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 [13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff [13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce [13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 [13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 [13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c [13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 [13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 [13.395574] Call trace: [13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) [13.403076] platform_probe+0x68/0xdc [13.406738] really_probe+0xbc/0x2c0 [13.410306] __driver_probe_device+0x78/0x120 [13.414653] driver_probe_device+0x3c/0x154 [13.418825] __driver_attach+0x90/0x1a0 [13.422647] bus_for_each_dev+0x7c/0xe0 [13.426470] driver_attach+0x24/0x30 [13.430032] bus_add_driver+0xe4/0x208 [13.433766] driver_register+0x68/0x130 [13.437587] __platform_driver_register+0x24/0x30 [13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] [13.448450] do_one_initcall+0x60/0x1d4 [13.452276] do_init_module+0x54/0x1f8 [13.456014] load_module+0x1754/0x1c98 [13.459750] init_module_from_file+0x88/0xcc [13.464004] __arm64_sys_finit_module+0x1c4/0x328 [13.468689] invoke_syscall+0x48/0x104 [13.472426] el0_svc_common.constprop.0+0xc0/0xe0 [13.477113] do_el0_svc+0x1c/0x28 [13.480415] el0_svc+0x30/0xcc [13.483460] el0t_64_sync_handler+0x10c/0x138 [13.487800] el0t_64_sync+0x198/0x19c [13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) [13.497522] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38138", "url": "https://ubuntu.com/security/CVE-2025-38138", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: Add NULL check in udma_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, udma_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38275", "url": "https://ubuntu.com/security/CVE-2025-38275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and lead to an invalid dereference. Fix the issue by checking if devm_ioremap() returns NULL. When it does, qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), ensuring safe and consistent error handling.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38141", "url": "https://ubuntu.com/security/CVE-2025-38141", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix dm_blk_report_zones If dm_get_live_table() returned NULL, dm_put_live_table() was never called. Also, it is possible that md->zone_revalidate_map will change while calling this function. Only read it once, so that we are always using the same value. Otherwise we might miss a call to dm_put_live_table(). Finally, while md->zone_revalidate_map is set and a process is calling blk_revalidate_disk_zones() to set up the zone append emulation resources, it is possible that another process, perhaps triggered by blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If blk_revalidate_disk_zones() fails, these resources can be freed while the other process is still using them, causing a use-after-free error. blk_revalidate_disk_zones() will only ever be called when initially setting up the zone append emulation resources, such as when setting up a zoned dm-crypt table for the first time. Further table swaps will not set md->zone_revalidate_map or call blk_revalidate_disk_zones(). However it must be called using the new table (referenced by md->zone_revalidate_map) and the new queue limits while the DM device is suspended. dm_blk_report_zones() needs some way to distinguish between a call from blk_revalidate_disk_zones(), which must be allowed to use md->zone_revalidate_map to access this not yet activated table, and all other calls to dm_blk_report_zones(), which should not be allowed while the device is suspended and cannot use md->zone_revalidate_map, since the zone resources might be freed by the process currently calling blk_revalidate_disk_zones(). Solve this by tracking the process that sets md->zone_revalidate_map in dm_revalidate_zones() and only allowing that process to make use of it in dm_blk_report_zones().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38142", "url": "https://ubuntu.com/security/CVE-2025-38142", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) check sensor index in read_string() Prevent a potential invalid memory access when the requested sensor is not found. find_ec_sensor_index() may return a negative value (e.g. -ENOENT), but its result was used without checking, which could lead to undefined behavior when passed to get_sensor_info(). Add a proper check to return -EINVAL if sensor_index is negative. Found by Linux Verification Center (linuxtesting.org) with SVACE. [groeck: Return error code returned from find_ec_sensor_index]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38277", "url": "https://ubuntu.com/security/CVE-2025-38277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user space or kernel crashes. This scenario can be triggered in edge cases such as misconfigured geometry, ECC engine misuse, or if ctx->steps is not validated after initialization. Initialize ret to zero before the loop to ensure correct and safe behavior regardless of the ctx->steps value. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38143", "url": "https://ubuntu.com/security/CVE-2025-38143", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently, wled_configure() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38312", "url": "https://ubuntu.com/security/CVE-2025-38312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38145", "url": "https://ubuntu.com/security/CVE-2025-38145", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. [arj: Fix Fixes: tag to use subject from 3772e5da4454]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38313", "url": "https://ubuntu.com/security/CVE-2025-38313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to one of its fields. In this circumstance, on the error path only the mc_bus should be freed. This commit introduces back the following checkpatch warning which is a false-positive. WARNING: kfree(NULL) is safe and this check is probably not required + if (mc_bus) + kfree(mc_bus);", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38415", "url": "https://ubuntu.com/security/CVE-2025-38415", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an \"UBSAN: shift-out-of-bounds in squashfs_bio_read\" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl(\"/dev/loop0\", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails. ---- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize); ---- sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64. This subsequently causes the UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') This commit adds a check for a 0 return by sb_min_blocksize().", "cve_priority": "medium", "cve_public_date": "2025-07-25 14:15:00 UTC" }, { "cve": "CVE-2025-38146", "url": "https://ubuntu.com/security/CVE-2025-38146", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead loop of MPLS parse The unexpected MPLS packet may not end with the bottom label stack. When there are many stacks, The label count value has wrapped around. A dead loop occurs, soft lockup/CPU stuck finally. stack backtrace: UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 index -1 is out of range for type '__be32 [3]' CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 Call Trace: show_stack+0x52/0x5c dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x36 __ubsan_handle_out_of_bounds.cold+0x44/0x49 key_extract_l3l4+0x82a/0x840 [openvswitch] ? kfree_skbmem+0x52/0xa0 key_extract+0x9c/0x2b0 [openvswitch] ovs_flow_key_extract+0x124/0x350 [openvswitch] ovs_vport_receive+0x61/0xd0 [openvswitch] ? kernel_init_free_pages.part.0+0x4a/0x70 ? get_page_from_freelist+0x353/0x540 netdev_port_receive+0xc4/0x180 [openvswitch] ? netdev_port_receive+0x180/0x180 [openvswitch] netdev_frame_hook+0x1f/0x40 [openvswitch] __netif_receive_skb_core.constprop.0+0x23a/0xf00 __netif_receive_skb_list_core+0xfa/0x240 netif_receive_skb_list_internal+0x18e/0x2a0 napi_complete_done+0x7a/0x1c0 bnxt_poll+0x155/0x1c0 [bnxt_en] __napi_poll+0x30/0x180 net_rx_action+0x126/0x280 ? bnxt_msix+0x67/0x80 [bnxt_en] handle_softirqs+0xda/0x2d0 irq_exit_rcu+0x96/0xc0 common_interrupt+0x8e/0xa0 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38147", "url": "https://ubuntu.com/security/CVE-2025-38147", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switches branches based on struct sockaddr.sa_family, which is passed from userspace. However, netlbl_conn_setattr() does not check if the address family matches the socket. The syzkaller must have called connect() for an IPv6 address on an IPv4 socket. We have a proper validation in tcp_v[46]_connect(), but security_socket_connect() is called in the earlier stage. Let's copy the validation to netlbl_conn_setattr(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 security_socket_connect+0x50/0xa0 security/security.c:4598 __sys_connect_file+0xa4/0x190 net/socket.c:2067 __sys_connect+0x12c/0x170 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38278", "url": "https://ubuntu.com/security/CVE-2025-38278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback This patch addresses below issues, 1. Active traffic on the leaf node must be stopped before its send queue is reassigned to the parent. This patch resolves the issue by marking the node as 'Inner'. 2. During a system reboot, the interface receives TC_HTB_LEAF_DEL and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues. In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue is reassigned to the parent, the current logic still attempts to update the real number of queues, leadning to below warnings New queues can't be registered after device unregistration. WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714 netdev_queue_update_kobjects+0x1e4/0x200", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38148", "url": "https://ubuntu.com/security/CVE-2025-38148", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: mscc: Fix memory leak when using one step timestamping Fix memory leak when running one-step timestamping. When running one-step sync timestamping, the HW is configured to insert the TX time into the frame, so there is no reason to keep the skb anymore. As in this case the HW will never generate an interrupt to say that the frame was timestamped, then the frame will never released. Fix this by freeing the frame in case of one-step timestamping.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38149", "url": "https://ubuntu.com/security/CVE-2025-38149", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phy_attach_direct() fails before calling device_link_add(), the code jumps to the \"error\" label and calls phy_detach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, device_link_del() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows. [ 24.702421] Call trace: [ 24.704856] device_link_put_kref+0x20/0x120 [ 24.709124] device_link_del+0x30/0x48 [ 24.712864] phy_detach+0x24/0x168 [ 24.716261] phy_attach_direct+0x168/0x3a4 [ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c [ 24.725140] phylink_of_phy_connect+0x1c/0x34 Therefore, phydev->devlink needs to be cleared when the device link is deleted.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38280", "url": "https://ubuntu.com/security/CVE-2025-38280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Modules linked in: CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 ... When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, but jit failed due to FAULT_INJECTION. As a result, incorrectly treats the program as valid, when the program runs it calls `__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38151", "url": "https://ubuntu.com/security/CVE-2025-38151", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work item currently in the work queue. However, it left a problem when queue_work fails (because the item is still pending in the work queue from a previous call). In this case, cma_id_put (which is called in the work handler) is therefore not called. This results in a userspace process hang (zombie process). Fix this by calling cma_id_put() if queue_work fails.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38153", "url": "https://ubuntu.com/security/CVE-2025-38153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error handling of usbnet read calls Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\"). For instance, usbnet_read_cmd() may read fewer than 'size' bytes, even if the caller expected the full amount, and aqc111_read_cmd() will not check its result properly. As [1] shows, this may lead to MAC address in aqc111_bind() being only partly initialized, triggering KMSAN warnings. Fix the issue by verifying that the number of bytes read is as expected and not less. [1] Partial syzbot report: BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 is_valid_ether_addr include/linux/etherdevice.h:208 [inline] usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x4d1/0xd90 drivers/base/dd.c:658 __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 ... Uninit was stored to memory at: dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 __dev_addr_set include/linux/netdevice.h:4874 [inline] eth_hw_addr_set include/linux/etherdevice.h:325 [inline] aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 ... Uninit was stored to memory at: ether_addr_copy include/linux/etherdevice.h:305 [inline] aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] ... Local variable buf.i created at: aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38154", "url": "https://ubuntu.com/security/CVE-2025-38154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. Race conditions: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops->release() -> sock_map_close() sk_socket->ops = NULL free(socket) sock->ops->sendmsg ^ panic here ''' The ref of psock become 0 after sock_map_close() executed. ''' void sock_map_close() { ... if (likely(psock)) { ... // !! here we remove psock and the ref of psock become 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; <=== Control jumps here via goto ... cancel_delayed_work_sync(&psock->work); <=== not executed sk_psock_put(sk, psock); ... } ''' Based on the fact that we already wait for the workqueue to finish in sock_map_close() if psock is held, we simply increase the psock reference count to avoid race conditions. With this patch, if the backlog thread is running, sock_map_close() will wait for the backlog thread to complete and cancel all pending work. If no backlog running, any pending work that hasn't started by then will fail when invoked by sk_psock_get(), as the psock reference count have been zeroed, and sk_psock_drop() will cancel all jobs via cancel_delayed_work_sync(). In summary, we require synchronization to coordinate the backlog thread and close() thread. The panic I catched: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... '''", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38315", "url": "https://ubuntu.com/security/CVE-2025-38315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38155", "url": "https://ubuntu.com/security/CVE-2025-38155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7915_mmio_wed_init().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38156", "url": "https://ubuntu.com/security/CVE-2025-38156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7996_mmio_wed_init()", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38282", "url": "https://ubuntu.com/security/CVE-2025-38282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak -- callers don't use it afterwards but it's important for proper pairing of kn->active counting. Assuming this mechanism is in place, the WARN check in kernfs_should_drain_open_files() is too sensitive -- it may transiently catch those (rightful) callers between kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen Ridong: \tkernfs_remove_by_name_ns\tkernfs_get_active // active=1 \t__kernfs_remove\t\t\t\t\t // active=0x80000002 \tkernfs_drain\t\t\t... \twait_event \t//waiting (active == 0x80000001) \t\t\t\t\tkernfs_break_active_protection \t\t\t\t\t// active = 0x80000001 \t// continue \t\t\t\t\tkernfs_unbreak_active_protection \t\t\t\t\t// active = 0x80000002 \t... \tkernfs_should_drain_open_files \t// warning occurs \t\t\t\t\tkernfs_put_active To avoid the false positives (mind panic_on_warn) remove the check altogether. (This is meant as quick fix, I think active reference break/unbreak may be simplified with larger rework.)", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38157", "url": "https://ubuntu.com/security/CVE-2025-38157", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38283", "url": "https://ubuntu.com/security/CVE-2025-38283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt to perform device data migration, the address of the migrated data will be NULL. The live migration recovery operation on the destination side will access a null address value, which will cause access errors. Therefore, live migration of VMs without added VF device drivers does not require device data migration. In addition, when the queue address data obtained by the destination is empty, device queue recovery processing will not be performed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38158", "url": "https://ubuntu.com/security/CVE-2025-38158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration and results in guest kernel-mode encryption services failure. Comparing the definition of hardware registers, we found that there was an error when the data read from the register was combined into an address. Therefore, the address combination sequence needs to be corrected. Even after fixing the above problem, we still have an issue where the Guest from an old kernel can get migrated to new kernel and may result in wrong data. In order to ensure that the address is correct after migration, if an old magic number is detected, the dma address needs to be updated.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38159", "url": "https://ubuntu.com/security/CVE-2025-38159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38285", "url": "https://ubuntu.com/security/CVE-2025-38285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 Modules linked in: CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:204 [inline] stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 Tracepoint like trace_mmap_lock_acquire_returned may cause nested call as the corner case show above, which will be resolved with more general method in the future. As a result, WARN_ON_ONCE will be triggered. As Alexei suggested, remove the WARN_ON_ONCE first.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38286", "url": "https://ubuntu.com/security/CVE-2025-38286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38160", "url": "https://ubuntu.com/security/CVE-2025-38160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, raspberrypi_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38161", "url": "https://ubuntu.com/security/CVE-2025-38161", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x148 lr : refcount_warn_saturate+0xf4/0x148 sp : ffff80008b81b7e0 x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 Call trace: refcount_warn_saturate+0xf4/0x148 mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] ib_destroy_wq_user+0x30/0xc0 [ib_core] uverbs_free_wq+0x28/0x58 [ib_uverbs] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] ib_uverbs_close+0x2c/0x100 [ib_uverbs] __fput+0xd8/0x2f0 __fput_sync+0x50/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall.constprop.0+0x74/0xd0 do_el0_svc+0x48/0xe8 el0_svc+0x44/0x1d0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x1a4/0x1a8", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38162", "url": "https://ubuntu.com/security/CVE-2025-38162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38288", "url": "https://ubuntu.com/security/CVE-2025-38288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels Correct kernel call trace when calling smp_processor_id() when called in preemptible kernels by using raw_smp_processor_id(). smp_processor_id() checks to see if preemption is disabled and if not, issue an error message followed by a call to dump_stack(). Brief example of call trace: kernel: check_preemption_disabled: 436 callbacks suppressed kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u1025:0/2354 kernel: caller is pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: CPU: 129 PID: 2354 Comm: kworker/u1025:0 kernel: ... kernel: Workqueue: writeback wb_workfn (flush-253:0) kernel: Call Trace: kernel: kernel: dump_stack_lvl+0x34/0x48 kernel: check_preemption_disabled+0xdd/0xe0 kernel: pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: ...", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38290", "url": "https://ubuntu.com/security/CVE-2025-38290", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the \"arvifs\" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head \"arvifs\", but the next of the list head \"arvifs\" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head \"arvifs\" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute normally. Call trace: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38292", "url": "https://ubuntu.com/security/CVE-2025-38292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38163", "url": "https://ubuntu.com/security/CVE-2025-38163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 notify_change+0xbca/0xe90 fs/attr.c:552 do_truncate+0x222/0x310 fs/open.c:65 handle_truncate fs/namei.c:3466 [inline] do_open fs/namei.c:3849 [inline] path_openat+0x2e4f/0x35d0 fs/namei.c:4004 do_filp_open+0x284/0x4e0 fs/namei.c:4031 do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 do_sys_open fs/open.c:1444 [inline] __do_sys_creat fs/open.c:1522 [inline] __se_sys_creat fs/open.c:1516 [inline] __x64_sys_creat+0x124/0x170 fs/open.c:1516 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 The reason is: in fuzzed image, sbi->total_valid_block_count is inconsistent w/ mapped blocks indexed by inode, so, we should not trigger panic for such case, instead, let's print log and set fsck flag.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38317", "url": "https://ubuntu.com/security/CVE-2025-38317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix buffer overflow in debugfs If the user tries to write more than 32 bytes then it results in memory corruption. Fortunately, this is debugfs so it's limited to root users.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38164", "url": "https://ubuntu.com/security/CVE-2025-38164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: zone: fix to avoid inconsistence in between SIT and SSA w/ below testcase, it will cause inconsistence in between SIT and SSA. create_null_blk 512 2 1024 1024 mkfs.f2fs -m /dev/nullb0 mount /dev/nullb0 /mnt/f2fs/ touch /mnt/f2fs/file f2fs_io pinfile set /mnt/f2fs/file fallocate -l 4GiB /mnt/f2fs/file F2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT CPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84 Tainted: [O]=OOT_MODULE Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 Call Trace: dump_stack_lvl+0xb3/0xd0 dump_stack+0x14/0x20 f2fs_handle_critical_error+0x18c/0x220 [f2fs] f2fs_stop_checkpoint+0x38/0x50 [f2fs] do_garbage_collect+0x674/0x6e0 [f2fs] f2fs_gc_range+0x12b/0x230 [f2fs] f2fs_allocate_pinning_section+0x5c/0x150 [f2fs] f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs] f2fs_fallocate+0x3c3/0x410 [f2fs] vfs_fallocate+0x15f/0x4b0 __x64_sys_fallocate+0x4a/0x80 x64_sys_call+0x15e8/0x1b80 do_syscall_64+0x68/0x130 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f9dba5197ca F2FS-fs (nullb0): Stopped filesystem due to reason: 4 The reason is f2fs_gc_range() may try to migrate block in curseg, however, its SSA block is not uptodate due to the last summary block data is still in cache of curseg. In this patch, we add a condition in f2fs_gc_range() to check whether section is opened or not, and skip block migration for opened section.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38165", "url": "https://ubuntu.com/security/CVE-2025-38165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix panic when calling skb_linearize The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events sk_psock_backlog ... [ 657.469610] [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? do_trap+0x1d0/0x270 [ 657.470118] ? pskb_expand_head+0x612/0xf40 [ 657.470376] ? pskb_expand_head+0x612/0xf40 [ 657.470620] ? do_error_trap+0xa3/0x170 [ 657.470846] ? pskb_expand_head+0x612/0xf40 [ 657.471092] ? handle_invalid_op+0x2c/0x40 [ 657.471335] ? pskb_expand_head+0x612/0xf40 [ 657.471579] ? exc_invalid_op+0x2d/0x40 [ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 [ 657.472052] ? pskb_expand_head+0xd1/0xf40 [ 657.472292] ? pskb_expand_head+0x612/0xf40 [ 657.472540] ? lock_acquire+0x18f/0x4e0 [ 657.472766] ? find_held_lock+0x2d/0x110 [ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 [ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 [ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 [ 657.473826] __pskb_pull_tail+0xfd/0x1d20 [ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 [ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 [ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 [ 657.476010] sk_psock_backlog+0x5cf/0xd70 [ 657.476637] process_one_work+0x858/0x1a20 ''' The panic originates from the assertion BUG_ON(skb_shared(skb)) in skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed. The \"--rx-strp 100000\" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. ''' sk_psock_backlog: sk_psock_handle_skb skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' sk_psock_skb_ingress____________ ↓ | | → sk_psock_skb_ingress_self | sk_psock_skb_ingress_enqueue sk_psock_verdict_apply_________________↑ skb_linearize ''' Note that for verdict_apply path, the skb_get operation is unnecessary so we add 'take_ref' param to control it's behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38166", "url": "https://ubuntu.com/security/CVE-2025-38166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov_iter_revert+0x178/0x180 [ 2172.946031] ? iov_iter_revert+0x178/0x180 [ 2172.946267] ? do_error_trap+0x7d/0x110 [ 2172.946499] ? iov_iter_revert+0x178/0x180 [ 2172.946736] ? exc_invalid_op+0x50/0x70 [ 2172.946961] ? iov_iter_revert+0x178/0x180 [ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 [ 2172.947446] ? iov_iter_revert+0x178/0x180 [ 2172.947683] ? iov_iter_revert+0x5c/0x180 [ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 [ 2172.948206] tls_sw_sendmsg+0x52/0x80 [ 2172.948420] ? inet_sendmsg+0x1f/0x70 [ 2172.948634] __sys_sendto+0x1cd/0x200 [ 2172.948848] ? find_held_lock+0x2b/0x80 [ 2172.949072] ? syscall_trace_enter+0x140/0x270 [ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 [ 2172.949595] ? find_held_lock+0x2b/0x80 [ 2172.949817] ? syscall_trace_enter+0x140/0x270 [ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 [ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 [ 2172.951036] __x64_sys_sendto+0x24/0x30 [ 2172.951382] do_syscall_64+0x90/0x170 ...... After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, e.g., when the BPF program executes bpf_msg_push_data(). If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, it will return -ENOSPC and attempt to roll back to the non-zero copy logic. However, during rollback, msg->msg_iter is reset, but since msg_pl->sg.size has been increased, subsequent executions will exceed the actual size of msg_iter. ''' iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); ''' The changes in this commit are based on the following considerations: 1. When cork_bytes is set, rolling back to non-zero copy logic is pointless and can directly go to zero-copy logic. 2. We can not calculate the correct number of bytes to revert msg_iter. Assume the original data is \"abcdefgh\" (8 bytes), and after 3 pushes by the BPF program, it becomes 11-byte data: \"abc?de?fgh?\". Then, we set cork_bytes to 6, which means the first 6 bytes have been processed, and the remaining 5 bytes \"?fgh?\" will be cached until the length meets the cork_bytes requirement. However, some data in \"?fgh?\" is not within 'sg->msg_iter' (but in msg_pl instead), especially the data \"?\" we pushed. So it doesn't seem as simple as just reverting through an offset of msg_iter. 3. For non-TLS sockets in tcp_bpf_sendmsg, when a \"cork\" situation occurs, the user-space send() doesn't return an error, and the returned length is the same as the input length parameter, even if some data is cached. Additionally, I saw that the current non-zero-copy logic for handling corking is written as: ''' line 1177 else if (ret != -EAGAIN) { \tif (ret == -ENOSPC) \t\tret = 0; \tgoto send_end; ''' So it's ok to just return 'copied' without error when a \"cork\" situation occurs.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38293", "url": "https://ubuntu.com/security/CVE-2025-38293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the \"arvifs\" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head \"arvifs\", but the next of the list head \"arvifs\" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath11k_mac_op_remove_interface(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head \"arvifs\" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath11k_mac_op_remove_interface() can execute normally. Call trace: __list_del_entry_valid_or_report+0xb8/0xd0 ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] drv_remove_interface+0x48/0x194 [mac80211] ieee80211_do_stop+0x6e0/0x844 [mac80211] ieee80211_stop+0x44/0x17c [mac80211] __dev_close_many+0xac/0x150 __dev_change_flags+0x194/0x234 dev_change_flags+0x24/0x6c devinet_ioctl+0x3a0/0x670 inet_ioctl+0x200/0x248 sock_do_ioctl+0x60/0x118 sock_ioctl+0x274/0x35c __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x114 ... Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38295", "url": "https://ubuntu.com/security/CVE-2025-38295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses smp_processor_id(), which assumes disabled preemption. This leads to kernel warnings during module loading because meson_ddr_pmu_create() can be called in a preemptible context. Following kernel warning and stack trace: [ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289 [ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38 [ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0 [ 31.745181] [ T2289] Tainted: [W]=WARN [ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT) [ 31.745188] [ T2289] Call trace: [ 31.745191] [ T2289] show_stack+0x28/0x40 (C) [ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198 [ 31.745205] [ T2289] dump_stack+0x20/0x50 [ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0 [ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38 [ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745246] [ T2289] platform_probe+0x98/0xe0 [ 31.745254] [ T2289] really_probe+0x144/0x3f8 [ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180 [ 31.745261] [ T2289] driver_probe_device+0x54/0x268 [ 31.745264] [ T2289] __driver_attach+0x11c/0x288 [ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160 [ 31.745274] [ T2289] driver_attach+0x34/0x50 [ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0 [ 31.745281] [ T2289] driver_register+0x78/0x120 [ 31.745285] [ T2289] __platform_driver_register+0x30/0x48 [ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745298] [ T2289] do_one_initcall+0x11c/0x438 [ 31.745303] [ T2289] do_init_module+0x68/0x228 [ 31.745311] [ T2289] load_module+0x118c/0x13a8 [ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390 [ 31.745320] [ T2289] invoke_syscall+0x74/0x108 [ 31.745326] [ T2289] el0_svc_common+0x90/0xf8 [ 31.745330] [ T2289] do_el0_svc+0x2c/0x48 [ 31.745333] [ T2289] el0_svc+0x60/0x150 [ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118 [ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0 Changes replaces smp_processor_id() with raw_smp_processor_id() to ensure safe CPU ID retrieval in preemptible contexts.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38167", "url": "https://ubuntu.com/security/CVE-2025-38167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle hdr_first_de() return value The hdr_first_de() function returns a pointer to a struct NTFS_DE. This pointer may be NULL. To handle the NULL error effectively, it is important to implement an error handler. This will help manage potential errors consistently. Additionally, error handling for the return value already exists at other points where this function is called. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38318", "url": "https://ubuntu.com/security/CVE-2025-38318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Fix missing platform_set_drvdata() Add missing platform_set_drvdata in arm_ni_probe(), otherwise calling platform_get_drvdata() in remove returns NULL.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38168", "url": "https://ubuntu.com/security/CVE-2025-38168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device, we need to properly roll back all previously registered perf PMUs in other clock domains of the same device. Otherwise, it can lead to kernel panics. Calling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374 arm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000 arm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16 list_add corruption: next->prev should be prev (fffffd01e9698a18), but was 0000000000000000. (next=ffff10001a0decc8). pstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : list_add_valid_or_report+0x7c/0xb8 lr : list_add_valid_or_report+0x7c/0xb8 Call trace: __list_add_valid_or_report+0x7c/0xb8 perf_pmu_register+0x22c/0x3a0 arm_ni_probe+0x554/0x70c [arm_ni] platform_probe+0x70/0xe8 really_probe+0xc6/0x4d8 driver_probe_device+0x48/0x170 __driver_attach+0x8e/0x1c0 bus_for_each_dev+0x64/0xf0 driver_add+0x138/0x260 bus_add_driver+0x68/0x138 __platform_driver_register+0x2c/0x40 arm_ni_init+0x14/0x2a [arm_ni] do_init_module+0x36/0x298 ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38169", "url": "https://ubuntu.com/security/CVE-2025-38169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP On system with SME, a thread's kernel FPSIMD state may be erroneously clobbered during a context switch immediately after that state is restored. Systems without SME are unaffected. If the CPU happens to be in streaming SVE mode before a context switch to a thread with kernel FPSIMD state, fpsimd_thread_switch() will restore the kernel FPSIMD state using fpsimd_load_kernel_state() while the CPU is still in streaming SVE mode. When fpsimd_thread_switch() subsequently calls fpsimd_flush_cpu_state(), this will execute an SMSTOP, causing an exit from streaming SVE mode. The exit from streaming SVE mode will cause the hardware to reset a number of FPSIMD/SVE/SME registers, clobbering the FPSIMD state. Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel FPSIMD state.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38170", "url": "https://ubuntu.com/security/CVE-2025-38170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38319", "url": "https://ubuntu.com/security/CVE-2025-38319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve vram_info, it returns NULL which is later dereferenced.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38297", "url": "https://ubuntu.com/security/CVE-2025-38297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix potential division-by-zero error in em_compute_costs() When the device is of a non-CPU type, table[i].performance won't be initialized in the previous em_init_performance(), resulting in division by zero when calculating costs in em_compute_costs(). Since the 'cost' algorithm is only used for EAS energy efficiency calculations and is currently not utilized by other device drivers, we should add the _is_cpu_device(dev) check to prevent this division-by-zero issue.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38298", "url": "https://ubuntu.com/security/CVE-2025-38298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: EDAC/skx_common: Fix general protection fault After loading i10nm_edac (which automatically loads skx_edac_common), if unload only i10nm_edac, then reload it and perform error injection testing, a general protection fault may occur: mce: [Hardware Error]: Machine check events logged Oops: general protection fault ... ... Workqueue: events mce_gen_pool_process RIP: 0010:string+0x53/0xe0 ... Call Trace: ? die_addr+0x37/0x90 ? exc_general_protection+0x1e7/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? string+0x53/0xe0 vsnprintf+0x23e/0x4c0 snprintf+0x4d/0x70 skx_adxl_decode+0x16a/0x330 [skx_edac_common] skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] skx_mce_check_error+0x17/0x20 [skx_edac_common] ... The issue arose was because the variable 'adxl_component_count' (inside skx_edac_common), which counts the ADXL components, was not reset. During the reloading of i10nm_edac, the count was incremented by the actual number of ADXL components again, resulting in a count that was double the real number of ADXL components. This led to an out-of-bounds reference to the ADXL component array, causing the general protection fault above. Fix this issue by resetting the 'adxl_component_count' in adxl_put(), which is called during the unloading of {skx,i10nm}_edac.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38299", "url": "https://ubuntu.com/security/CVE-2025-38299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null. Avoid a crash if the device tree is not assigning a codec to these links. [ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 1.181065] Mem abort info: [ 1.181420] ESR = 0x0000000096000004 [ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.182576] SET = 0, FnV = 0 [ 1.182964] EA = 0, S1PTW = 0 [ 1.183367] FSC = 0x04: level 0 translation fault [ 1.183983] Data abort info: [ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1.186439] [0000000000000000] user address but active_mm is swapper [ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 1.188029] Modules linked in: [ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85 [ 1.189515] Hardware name: Radxa NIO 12L (DT) [ 1.190065] Workqueue: events_unbound deferred_probe_work_func [ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1.191683] pc : __pi_strcmp+0x24/0x140 [ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0 [ 1.192854] sp : ffff800083473970 [ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002 [ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88 [ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8 [ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff [ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006 [ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374 [ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018 [ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 [ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d [ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000 [ 1.202236] Call trace: [ 1.202545] __pi_strcmp+0x24/0x140 (P) [ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8 [ 1.203644] platform_probe+0x70/0xe8 [ 1.204106] really_probe+0xc8/0x3a0 [ 1.204556] __driver_probe_device+0x84/0x160 [ 1.205104] driver_probe_device+0x44/0x130 [ 1.205630] __device_attach_driver+0xc4/0x170 [ 1.206189] bus_for_each_drv+0x8c/0xf8 [ 1.206672] __device_attach+0xa8/0x1c8 [ 1.207155] device_initial_probe+0x1c/0x30 [ 1.207681] bus_probe_device+0xb0/0xc0 [ 1.208165] deferred_probe_work_func+0xa4/0x100 [ 1.208747] process_one_work+0x158/0x3e0 [ 1.209254] worker_thread+0x2c4/0x3e8 [ 1.209727] kthread+0x134/0x1f0 [ 1.210136] ret_from_fork+0x10/0x20 [ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402) [ 1.211355] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38172", "url": "https://ubuntu.com/security/CVE-2025-38172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid using multiple devices with different type For multiple devices, both primary and extra devices should be the same type. `erofs_init_device` has already guaranteed that if the primary is a file-backed device, extra devices should also be regular files. However, if the primary is a block device while the extra device is a file-backed device, `erofs_init_device` will get an ENOTBLK, which is not treated as an error in `erofs_fc_get_tree`, and that leads to an UAF: erofs_fc_get_tree get_tree_bdev_flags(erofs_fc_fill_super) erofs_read_superblock erofs_init_device // sbi->dif0 is not inited yet, // return -ENOTBLK deactivate_locked_super free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filp_open() // sbi UAF So if -ENOTBLK is hitted in `erofs_init_device`, it means the primary device must be a block device, and the extra device is not a block device. The error can be converted to -EINVAL.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38173", "url": "https://ubuntu.com/security/CVE-2025-38173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38300", "url": "https://ubuntu.com/security/CVE-2025-38300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the \"theend_sgs\" error path, call dma unmap only if the corresponding dma map was successful. 2] If the dma_map_single() call for the IV fails, the device driver would try to free an invalid DMA memory address on the \"theend_iv\" path: ------------[ cut here ]------------ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 Modules linked in: skcipher_example(O+) CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT Tainted: [O]=OOT_MODULE Hardware name: OrangePi Zero2 (DT) pc : check_unmap+0x123c/0x1b90 lr : check_unmap+0x123c/0x1b90 ... Call trace: check_unmap+0x123c/0x1b90 (P) debug_dma_unmap_page+0xac/0xc0 dma_unmap_page_attrs+0x1f4/0x5fc sun8i_ce_cipher_do_one+0x1bd4/0x1f40 crypto_pump_work+0x334/0x6e0 kthread_worker_fn+0x21c/0x438 kthread+0x374/0x664 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- To fix this, check for !dma_mapping_error() before calling dma_unmap_single() on the \"theend_iv\" path.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38174", "url": "https://ubuntu.com/security/CVE-2025-38174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace: ? tb_cfg_request_dequeue+0x2d/0xa0 tb_cfg_request_work+0x33/0x80 worker_thread+0x386/0x8f0 kthread+0xed/0x110 ret_from_fork+0x38/0x50 ret_from_fork_asm+0x1b/0x30 The circumstances are unclear, however, the theory is that tb_cfg_request_work() can be scheduled twice for a request: first time via frame.callback from ring_work() and second time from tb_cfg_request(). Both times kworkers will execute tb_cfg_request_dequeue(), which results in double list_del() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122). Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE bit set.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38175", "url": "https://ubuntu.com/security/CVE-2025-38175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 (\"binderfs: fix use-after-free in binder_devices\") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed: ================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ================================================================== Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38176", "url": "https://ubuntu.com/security/CVE-2025-38176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in binderfs_evict_inode() Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699 CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: dump_stack_lvl+0x1c2/0x2a0 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 print_report+0x155/0x840 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 ? __phys_addr+0xba/0x170 ? binderfs_evict_inode+0x1de/0x2d0 kasan_report+0x147/0x180 ? binderfs_evict_inode+0x1de/0x2d0 binderfs_evict_inode+0x1de/0x2d0 ? __pfx_binderfs_evict_inode+0x10/0x10 evict+0x524/0x9f0 ? __pfx_lock_release+0x10/0x10 ? __pfx_evict+0x10/0x10 ? do_raw_spin_unlock+0x4d/0x210 ? _raw_spin_unlock+0x28/0x50 ? iput+0x697/0x9b0 __dentry_kill+0x209/0x660 ? shrink_kill+0x8d/0x2c0 shrink_kill+0xa9/0x2c0 shrink_dentry_list+0x2e0/0x5e0 shrink_dcache_parent+0xa2/0x2c0 ? __pfx_shrink_dcache_parent+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 do_one_tree+0x23/0xe0 shrink_dcache_for_umount+0xa0/0x170 generic_shutdown_super+0x67/0x390 kill_litter_super+0x76/0xb0 binderfs_kill_super+0x44/0x90 deactivate_locked_super+0xb9/0x130 cleanup_mnt+0x422/0x4c0 ? lockdep_hardirqs_on+0x9d/0x150 task_work_run+0x1d2/0x260 ? __pfx_task_work_run+0x10/0x10 resume_user_mode_work+0x52/0x60 syscall_exit_to_user_mode+0x9a/0x120 do_syscall_64+0x103/0x210 ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830 Allocated by task 1705: kasan_save_track+0x3e/0x80 __kasan_kmalloc+0x8f/0xa0 __kmalloc_cache_noprof+0x213/0x3e0 binderfs_binder_device_create+0x183/0xa80 binder_ctl_ioctl+0x138/0x190 __x64_sys_ioctl+0x120/0x1b0 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1705: kasan_save_track+0x3e/0x80 kasan_save_free_info+0x46/0x50 __kasan_slab_free+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 do_unlinkat+0x390/0x5b0 __x64_sys_unlink+0x47/0x50 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption. I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38265", "url": "https://ubuntu.com/security/CVE-2025-38265", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1 RIP: 0010:serial_base_ctrl_add+0x96/0x120 Call Trace: serial_core_register_port+0x1a0/0x580 ? __setup_irq+0x39c/0x660 ? __kmalloc_cache_noprof+0x111/0x310 jsm_uart_port_init+0xe8/0x180 [jsm] jsm_probe_one+0x1f4/0x410 [jsm] local_pci_probe+0x42/0x90 pci_device_probe+0x22f/0x270 really_probe+0xdb/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8c/0xe0 bus_add_driver+0x112/0x1f0 driver_register+0x72/0xd0 jsm_init_module+0x36/0xff0 [jsm] ? __pfx_jsm_init_module+0x10/0x10 [jsm] do_one_initcall+0x58/0x310 do_init_module+0x60/0x230 Tested with Digi Neo PCIe 8 port card.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38092", "url": "https://ubuntu.com/security/CVE-2025-38092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an invalid pointer. Use list_first_entry_or_null() to check if the list is empty.", "cve_priority": "medium", "cve_public_date": "2025-07-02 15:15:00 UTC" }, { "cve": "CVE-2025-38091", "url": "https://ubuntu.com/security/CVE-2025-38091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: check stream id dml21 wrapper to get plane_id [Why & How] Fix a false positive warning which occurs due to lack of correct checks when querying plane_id in DML21. This fixes the warning when performing a mode1 reset (cat /sys/kernel/debug/dri/1/amdgpu_gpu_recover): [ 35.751250] WARNING: CPU: 11 PID: 326 at /tmp/amd.PHpyAl7v/amd/amdgpu/../display/dc/dml2/dml2_dc_resource_mgmt.c:91 dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751434] Modules linked in: amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_ttm_helper ttm drm_display_helper cec rc_core i2c_algo_bit rfcomm qrtr cmac algif_hash algif_skcipher af_alg bnep amd_atl intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi snd_hda_intel edac_mce_amd snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_hda_core snd_hwdep snd_pcm kvm snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul polyval_clmulni polyval_generic btusb ghash_clmulni_intel sha256_ssse3 btrtl sha1_ssse3 snd_seq btintel aesni_intel btbcm btmtk snd_seq_device crypto_simd sunrpc cryptd bluetooth snd_timer ccp binfmt_misc rapl snd i2c_piix4 wmi_bmof gigabyte_wmi k10temp i2c_smbus soundcore gpio_amdpt mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igc ahci xhci_pci libahci xhci_pci_renesas video wmi [ 35.751501] CPU: 11 UID: 0 PID: 326 Comm: kworker/u64:9 Tainted: G OE 6.11.0-21-generic #21~24.04.1-Ubuntu [ 35.751504] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 35.751505] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F30 05/22/2024 [ 35.751506] Workqueue: amdgpu-reset-dev amdgpu_debugfs_reset_work [amdgpu] [ 35.751638] RIP: 0010:dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751794] Code: 6d 0c 00 00 8b 84 24 88 00 00 00 41 3b 44 9c 20 0f 84 fc 07 00 00 48 83 c3 01 48 83 fb 06 75 b3 4c 8b 64 24 68 4c 8b 6c 24 40 <0f> 0b b8 06 00 00 00 49 8b 94 24 a0 49 00 00 89 c3 83 f8 07 0f 87 [ 35.751796] RSP: 0018:ffffbfa3805d7680 EFLAGS: 00010246 [ 35.751798] RAX: 0000000000010000 RBX: 0000000000000006 RCX: 0000000000000000 [ 35.751799] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [ 35.751800] RBP: ffffbfa3805d78f0 R08: 0000000000000000 R09: 0000000000000000 [ 35.751801] R10: 0000000000000000 R11: 0000000000000000 R12: ffffbfa383249000 [ 35.751802] R13: ffffa0e68f280000 R14: ffffbfa383249658 R15: 0000000000000000 [ 35.751803] FS: 0000000000000000(0000) GS:ffffa0edbe580000(0000) knlGS:0000000000000000 [ 35.751804] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.751805] CR2: 00005d847ef96c58 CR3: 000000041de3e000 CR4: 0000000000f50ef0 [ 35.751806] PKRU: 55555554 [ 35.751807] Call Trace: [ 35.751810] [ 35.751816] ? show_regs+0x6c/0x80 [ 35.751820] ? __warn+0x88/0x140 [ 35.751822] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751964] ? report_bug+0x182/0x1b0 [ 35.751969] ? handle_bug+0x6e/0xb0 [ 35.751972] ? exc_invalid_op+0x18/0x80 [ 35.751974] ? asm_exc_invalid_op+0x1b/0x20 [ 35.751978] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.752117] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752256] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752260] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752400] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752403] ? math_pow+0x11/0xa0 [amdgpu] [ 35.752524] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752526] ? core_dcn4_mode_programming+0xe4d/0x20d0 [amdgpu] [ 35.752663] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752669] dml21_validate+0x3d4/0x980 [amdgpu] (cherry picked from commit f8ad62c0a93e5dd94243e10f1b742232e4d6411e)", "cve_priority": "medium", "cve_public_date": "2025-07-02 15:15:00 UTC" }, { "cve": "CVE-2025-38082", "url": "https://ubuntu.com/security/CVE-2025-38082", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max available space in \"simple_write_to_buffer\". Check that the input size does not exceed the buffer size. Write a zero termination afterwards.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38050", "url": "https://ubuntu.com/security/CVE-2025-38050", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38029", "url": "https://ubuntu.com/security/CVE-2025-38029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38076", "url": "https://ubuntu.com/security/CVE-2025-38076", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: alloc_tag: allocate percpu counters for module tags dynamically When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by free_module(). This will lead to UAF if the memory allocated by a module is accessed after module was unloaded. To fix this we allocate percpu counters for module allocation tags dynamically and we keep it alive for tags which are still in use after module unloading. This also removes the requirement of a larger PERCPU_MODULE_RESERVE when memory allocation profiling is enabled because percpu memory for counters does not need to be reserved anymore.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38051", "url": "https://ubuntu.com/security/CVE-2025-38051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38077", "url": "https://ubuntu.com/security/CVE-2025-38077", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38078", "url": "https://ubuntu.com/security/CVE-2025-38078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38003", "url": "https://ubuntu.com/security/CVE-2025-38003", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection.", "cve_priority": "medium", "cve_public_date": "2025-06-08 11:15:00 UTC" }, { "cve": "CVE-2025-38004", "url": "https://ubuntu.com/security/CVE-2025-38004", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too.", "cve_priority": "medium", "cve_public_date": "2025-06-08 11:15:00 UTC" }, { "cve": "CVE-2025-38031", "url": "https://ubuntu.com/security/CVE-2025-38031", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm \"cryptomgr_probe\", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38079", "url": "https://ubuntu.com/security/CVE-2025-38079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38052", "url": "https://ubuntu.com/security/CVE-2025-38052", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 Call Trace: kasan_report+0xd9/0x110 mm/kasan/report.c:601 tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 crypto_request_complete include/crypto/algapi.h:266 aead_request_complete include/crypto/internal/aead.h:85 cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772 crypto_request_complete include/crypto/algapi.h:266 cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 Allocated by task 8355: kzalloc_noprof include/linux/slab.h:778 tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466 tipc_init_net+0x2dd/0x430 net/tipc/core.c:72 ops_init+0xb9/0x650 net/core/net_namespace.c:139 setup_net+0x435/0xb40 net/core/net_namespace.c:343 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x419/0x970 kernel/fork.c:3323 __do_sys_unshare kernel/fork.c:3394 Freed by task 63: kfree+0x12a/0x3b0 mm/slub.c:4557 tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539 tipc_exit_net+0x8c/0x110 net/tipc/core.c:119 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done may still visit it in cryptd_queue_worker workqueue. I reproduce this issue by: ip netns add ns1 ip link add veth1 type veth peer name veth2 ip link set veth1 netns ns1 ip netns exec ns1 tipc bearer enable media eth dev veth1 ip netns exec ns1 tipc node set key this_is_a_master_key master ip netns exec ns1 tipc bearer disable media eth dev veth1 ip netns del ns1 The key of reproduction is that, simd_aead_encrypt is interrupted, leading to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is triggered, and the tipc_crypto tx will be visited. tipc_disc_timeout tipc_bearer_xmit_skb tipc_crypto_xmit tipc_aead_encrypt crypto_aead_encrypt // encrypt() simd_aead_encrypt // crypto_simd_usable() is false child = &ctx->cryptd_tfm->base; simd_aead_encrypt crypto_aead_encrypt // encrypt() cryptd_aead_encrypt_enqueue cryptd_aead_enqueue cryptd_enqueue_request // trigger cryptd_queue_worker queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work) Fix this by holding net reference count before encrypt.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38053", "url": "https://ubuntu.com/security/CVE-2025-38053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ...", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38032", "url": "https://ubuntu.com/security/CVE-2025-38032", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mr: consolidate the ipmr_can_free_table() checks. Guoyu Yin reported a splat in the ipmr netns cleanup path: WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_free_table net/ipv4/ipmr.c:440 [inline] WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Modules linked in: CPU: 2 UID: 0 PID: 14564 Comm: syz.4.838 Not tainted 6.14.0 #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ipmr_free_table net/ipv4/ipmr.c:440 [inline] RIP: 0010:ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Code: ff df 48 c1 ea 03 80 3c 02 00 75 7d 48 c7 83 60 05 00 00 00 00 00 00 5b 5d 41 5c 41 5d 41 5e e9 71 67 7f 00 e8 4c 2d 8a fd 90 <0f> 0b 90 eb 93 e8 41 2d 8a fd 0f b6 2d 80 54 ea 01 31 ff 89 ee e8 RSP: 0018:ffff888109547c58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888108c12dc0 RCX: ffffffff83e09868 RDX: ffff8881022b3300 RSI: ffffffff83e098d4 RDI: 0000000000000005 RBP: ffff888104288000 R08: 0000000000000000 R09: ffffed10211825c9 R10: 0000000000000001 R11: ffff88801816c4a0 R12: 0000000000000001 R13: ffff888108c13320 R14: ffff888108c12dc0 R15: fffffbfff0b74058 FS: 00007f84f39316c0(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f84f3930f98 CR3: 0000000113b56000 CR4: 0000000000350ef0 Call Trace: ipmr_net_exit_batch+0x50/0x90 net/ipv4/ipmr.c:3160 ops_exit_list+0x10c/0x160 net/core/net_namespace.c:177 setup_net+0x47d/0x8e0 net/core/net_namespace.c:394 copy_net_ns+0x25d/0x410 net/core/net_namespace.c:516 create_new_namespaces+0x3f6/0xaf0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc3/0x180 kernel/nsproxy.c:228 ksys_unshare+0x78d/0x9a0 kernel/fork.c:3342 __do_sys_unshare kernel/fork.c:3413 [inline] __se_sys_unshare kernel/fork.c:3411 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3411 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f84f532cc29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f84f3931038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f84f5615fa0 RCX: 00007f84f532cc29 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000400 RBP: 00007f84f53fba18 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f84f5615fa0 R15: 00007fff51c5f328 The running kernel has CONFIG_IP_MROUTE_MULTIPLE_TABLES disabled, and the sanity check for such build is still too loose. Address the issue consolidating the relevant sanity check in a single helper regardless of the kernel configuration. Also share it between the ipv4 and ipv6 code.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38054", "url": "https://ubuntu.com/security/CVE-2025-38054", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: Limit signal/freq counts in summary output functions The debugfs summary output could access uninitialized elements in the freq_in[] and signal_out[] arrays, causing NULL pointer dereferences and triggering a kernel Oops (page_fault_oops). This patch adds u8 fields (nr_freq_in, nr_signal_out) to track the number of initialized elements, with a maximum of 4 per array. The summary output functions are updated to respect these limits, preventing out-of-bounds access and ensuring safe array handling. Widen the label variables because the change confuses GCC about max length of the strings.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38055", "url": "https://ubuntu.com/security/CVE-2025-38055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes. The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway. Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38057", "url": "https://ubuntu.com/security/CVE-2025-38057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38058", "url": "https://ubuntu.com/security/CVE-2025-38058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38033", "url": "https://ubuntu.com/security/CVE-2025-38033", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Calling core::fmt::write() from rust code while FineIBT is enabled results in a kernel panic: [ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132! [ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G U O 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599 [ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE [ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0 ... [ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20 [ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 <66> 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7 [ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246 [ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 [ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88 [ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070 [ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8 [ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000 [ 4614.474473] ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10 [ 4614.484118] ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250 This happens because core::fmt::write() calls core::fmt::rt::Argument::fmt(), which currently has CFI disabled: library/core/src/fmt/rt.rs: 171 // FIXME: Transmuting formatter in new and indirectly branching to/calling 172 // it here is an explicit CFI violation. 173 #[allow(inline_no_sanitize)] 174 #[no_sanitize(cfi, kcfi)] 175 #[inline] 176 pub(super) unsafe fn fmt(&self, f: &mut Formatter<'_>) -> Result { This causes a Control Protection exception, because FineIBT has sealed off the original function's endbr64. This makes rust currently incompatible with FineIBT. Add a Kconfig dependency that prevents FineIBT from getting turned on by default if rust is enabled. [ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1], and thus we relaxed the condition with Rust >= 1.88. When `objtool` lands checking for this with e.g. [2], the plan is to ideally run that in upstream Rust's CI to prevent regressions early [3], since we do not control `core`'s source code. Alice tested the Rust PR backported to an older compiler. Peter would like that Rust provides a stable `core` which can be pulled into the kernel: \"Relying on that much out of tree code is 'unfortunate'\". - Miguel ] [ Reduced splat. - Miguel ]", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38059", "url": "https://ubuntu.com/security/CVE-2025-38059", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option \"rescue=idatacsums\" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38034", "url": "https://ubuntu.com/security/CVE-2025-38034", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable Perform some writeback operations. Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38035", "url": "https://ubuntu.com/security/CVE-2025-38035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: don't restore null sk_state_change queue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if the TCP connection isn't established when nvmet_tcp_set_queue_sock() is called then queue->state_change isn't set and sock->sk->sk_state_change isn't replaced. As such we don't need to restore sock->sk->sk_state_change if queue->state_change is NULL. This avoids NULL pointer dereferences such as this: [ 286.462026][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 286.462814][ C0] #PF: supervisor instruction fetch in kernel mode [ 286.463796][ C0] #PF: error_code(0x0010) - not-present page [ 286.464392][ C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0 [ 286.465086][ C0] Oops: Oops: 0010 [#1] SMP KASAN PTI [ 286.465559][ C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary) [ 286.466393][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 286.467147][ C0] RIP: 0010:0x0 [ 286.467420][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 286.467977][ C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246 [ 286.468425][ C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43 [ 286.469019][ C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100 [ 286.469545][ C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c [ 286.470072][ C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3 [ 286.470585][ C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268 [ 286.471070][ C0] FS: 00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000 [ 286.471644][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 286.472543][ C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0 [ 286.473500][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 286.474467][ C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 [ 286.475453][ C0] Call Trace: [ 286.476102][ C0] [ 286.476719][ C0] tcp_fin+0x2bb/0x440 [ 286.477429][ C0] tcp_data_queue+0x190f/0x4e60 [ 286.478174][ C0] ? __build_skb_around+0x234/0x330 [ 286.478940][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.479659][ C0] ? __pfx_tcp_data_queue+0x10/0x10 [ 286.480431][ C0] ? tcp_try_undo_loss+0x640/0x6c0 [ 286.481196][ C0] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 286.482046][ C0] ? kvm_clock_get_cycles+0x14/0x30 [ 286.482769][ C0] ? ktime_get+0x66/0x150 [ 286.483433][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.484146][ C0] tcp_rcv_established+0x6e4/0x2050 [ 286.484857][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.485523][ C0] ? ipv4_dst_check+0x160/0x2b0 [ 286.486203][ C0] ? __pfx_tcp_rcv_established+0x10/0x10 [ 286.486917][ C0] ? lock_release+0x217/0x2c0 [ 286.487595][ C0] tcp_v4_do_rcv+0x4d6/0x9b0 [ 286.488279][ C0] tcp_v4_rcv+0x2af8/0x3e30 [ 286.488904][ C0] ? raw_local_deliver+0x51b/0xad0 [ 286.489551][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.490198][ C0] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 286.490813][ C0] ? __pfx_raw_local_deliver+0x10/0x10 [ 286.491487][ C0] ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack] [ 286.492275][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.492900][ C0] ip_protocol_deliver_rcu+0x8f/0x370 [ 286.493579][ C0] ip_local_deliver_finish+0x297/0x420 [ 286.494268][ C0] ip_local_deliver+0x168/0x430 [ 286.494867][ C0] ? __pfx_ip_local_deliver+0x10/0x10 [ 286.495498][ C0] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 286.496204][ C0] ? ip_rcv_finish_core+0x19a/0x1f20 [ 286.496806][ C0] ? lock_release+0x217/0x2c0 [ 286.497414][ C0] ip_rcv+0x455/0x6e0 [ 286.497945][ C0] ? __pfx_ip_rcv+0x10/0x10 [ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38036", "url": "https://ubuntu.com/security/CVE-2025-38036", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/vf: Perform early GT MMIO initialization to read GMDID VFs need to communicate with the GuC to obtain the GMDID value and existing GuC functions used for that assume that the GT has it's MMIO members already setup. However, due to recent refactoring the gt->mmio is initialized later, and any attempt by the VF to use xe_mmio_read|write() from GuC functions will lead to NPD crash due to unset MMIO register address: [] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode [] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507 [] BUG: unable to handle page fault for address: 0000000000190240 Since we are already tweaking the id and type of the primary GT to mimic it's a Media GT before initializing the GuC communication, we can also call xe_gt_mmio_init() to perform early setup of the gt->mmio which will make those GuC functions work again.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38037", "url": "https://ubuntu.com/security/CVE-2025-38037", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vxlan: Annotate FDB data races The 'used' and 'updated' fields in the FDB entry structure can be accessed concurrently by multiple threads, leading to reports such as [1]. Can be reproduced using [2]. Suppress these reports by annotating these accesses using READ_ONCE() / WRITE_ONCE(). [1] BUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit write to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0: vxlan_xmit+0xb29/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff942604d263a8 of 8 bytes by task 287 on cpu 2: vxlan_xmit+0xadf/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000000fffbac6e -> 0x00000000fffbac6f Reported by Kernel Concurrency Sanitizer on: CPU: 2 UID: 0 PID: 287 Comm: mausezahn Not tainted 6.13.0-rc7-01544-gb4b270f11a02 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [2] #!/bin/bash set +H echo whitelist > /sys/kernel/debug/kcsan echo !vxlan_xmit > /sys/kernel/debug/kcsan ip link add name vx0 up type vxlan id 10010 dstport 4789 local 192.0.2.1 bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 198.51.100.1 taskset -c 0 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q & taskset -c 2 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38038", "url": "https://ubuntu.com/security/CVE-2025-38038", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost set_boost is a per-policy function call, hence a driver wide lock is unnecessary. Also this mutex_acquire can collide with the mutex_acquire from the mode-switch path in status_store(), which can lead to a deadlock. So, remove it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38039", "url": "https://ubuntu.com/security/CVE-2025-38039", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled When attempting to enable MQPRIO while HTB offload is already configured, the driver currently returns `-EINVAL` and triggers a `WARN_ON`, leading to an unnecessary call trace. Update the code to handle this case more gracefully by returning `-EOPNOTSUPP` instead, while also providing a helpful user message.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38080", "url": "https://ubuntu.com/security/CVE-2025-38080", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38060", "url": "https://ubuntu.com/security/CVE-2025-38060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->cur_state->loop_entry should always be NULL after pop_stack(). See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix. This change has some verification performance impact for selftests: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- ------------- arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%) And significant negative impact for sched_ext: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------ bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scx_qmap.bpf.o qmap_dispatch ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38040", "url": "https://ubuntu.com/security/CVE-2025-38040", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38061", "url": "https://ubuntu.com/security/CVE-2025-38061", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer).", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38062", "url": "https://ubuntu.com/security/CVE-2025-38062", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated. 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address. This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However, there is no locking at the irq layer that helps protect the lifetime. Today, this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel, as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached. Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the \"container\" after starting up. However, iommufd has improved this so that the iommu domain can be changed during VFIO operation. This potentially allows userspace to directly race VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()). This potentially causes both the cookie pointer and the unlocked call to iommu_get_domain_for_dev() on the MSI translation path to become UAFs. Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA address is already known during iommu_dma_prepare_msi() and cannot change. Thus, it can simply be stored as an integer in the MSI descriptor. The other UAF related to iommu_get_domain_for_dev() will be addressed in patch \"iommu: Make iommu_dma_prepare_msi() into a generic operation\" by using the IOMMU group mutex.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38041", "url": "https://ubuntu.com/security/CVE-2025-38041", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes The H616 manual does not state that the GPU PLL supports dynamic frequency configuration, so we must take extra care when changing the frequency. Currently any attempt to do device DVFS on the GPU lead to panfrost various ooops, and GPU hangs. The manual describes the algorithm for changing the PLL frequency, which the CPU PLL notifier code already support, so we reuse that to reparent the GPU clock to GPU1 clock during frequency changes.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38063", "url": "https://ubuntu.com/security/CVE-2025-38063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exists in upstream: crash> bt 2091206 PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: \"kworker/u260:0\" #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8 #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4 #2 [ffff800084a2f880] schedule at ffff800040bfa4b4 #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4 #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0 #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254 #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38 #8 [ffff800084a2fa60] generic_make_request at ffff800040570138 #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4 #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs] #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs] #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs] #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs] #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs] #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs] #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08 #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc #18 [ffff800084a2fe70] kthread at ffff800040118de4 After commit 2def2845cc33 (\"xfs: don't allow log IO to be throttled\"), the metadata submitted by xlog_write_iclog() should not be throttled. But due to the existence of the dm layer, throttling flush_bio indirectly causes the metadata bio to be throttled. Fix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes wbt_should_throttle() return false to avoid wbt_wait().", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38064", "url": "https://ubuntu.com/security/CVE-2025-38064", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio: break and reset virtio devices on device_shutdown() Hongyu reported a hang on kexec in a VM. QEMU reported invalid memory accesses during the hang. \tInvalid read at addr 0x102877002, size 2, region '(null)', reason: rejected \tInvalid write at addr 0x102877A44, size 2, region '(null)', reason: rejected \t... It was traced down to virtio-console. Kexec works fine if virtio-console is not in use. The issue is that virtio-console continues to write to the MMIO even after underlying virtio-pci device is reset. Additionally, Eric noticed that IOMMUs are reset before devices, if devices are not reset on shutdown they continue to poke at guest memory and get errors from the IOMMU. Some devices get wedged then. The problem can be solved by breaking all virtio devices on virtio bus shutdown, then resetting them.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38042", "url": "https://ubuntu.com/security/CVE-2025-38042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn The user of k3_udma_glue_reset_rx_chn() e.g. ti_am65_cpsw_nuss can run on multiple platforms having different DMA architectures. On some platforms there can be one FDQ for all flows in the RX channel while for others there is a separate FDQ for each flow in the RX channel. So far we have been relying on the skip_fdq argument of k3_udma_glue_reset_rx_chn(). Instead of relying on the user to provide this information, infer it based on DMA architecture during k3_udma_glue_request_rx_chn() and save it in an internal flag 'single_fdq'. Use that flag at k3_udma_glue_reset_rx_chn() to deicide if the FDQ needs to be cleared for every flow or just for flow 0. Fixes the below issue on ti_am65_cpsw_nuss driver on AM62-SK. > ip link set eth1 down > ip link set eth0 down > ethtool -L eth0 rx 8 > ip link set eth0 up > modprobe -r ti_am65_cpsw_nuss [ 103.045726] ------------[ cut here ]------------ [ 103.050505] k3_knav_desc_pool size 512000 != avail 64000 [ 103.050703] WARNING: CPU: 1 PID: 450 at drivers/net/ethernet/ti/k3-cppi-desc-pool.c:33 k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.068810] Modules linked in: ti_am65_cpsw_nuss(-) k3_cppi_desc_pool snd_soc_hdmi_codec crct10dif_ce snd_soc_simple_card snd_soc_simple_card_utils display_connector rtc_ti_k3 k3_j72xx_bandgap tidss drm_client_lib snd_soc_davinci_mcas p drm_dma_helper tps6598x phylink snd_soc_ti_udma rti_wdt drm_display_helper snd_soc_tlv320aic3x_i2c typec at24 phy_gmii_sel snd_soc_ti_edma snd_soc_tlv320aic3x sii902x snd_soc_ti_sdma sa2ul omap_mailbox drm_kms_helper authenc cfg80211 r fkill fuse drm drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [last unloaded: k3_cppi_desc_pool] [ 103.119950] CPU: 1 UID: 0 PID: 450 Comm: modprobe Not tainted 6.13.0-rc7-00001-g9c5e3435fa66 #1011 [ 103.119968] Hardware name: Texas Instruments AM625 SK (DT) [ 103.119974] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 103.119983] pc : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.148007] lr : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.154709] sp : ffff8000826ebbc0 [ 103.158015] x29: ffff8000826ebbc0 x28: ffff0000090b6300 x27: 0000000000000000 [ 103.165145] x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000019df6b0 [ 103.172271] x23: ffff0000019df6b8 x22: ffff0000019df410 x21: ffff8000826ebc88 [ 103.179397] x20: 000000000007d000 x19: ffff00000a3b3000 x18: 0000000000000000 [ 103.186522] x17: 0000000000000000 x16: 0000000000000000 x15: 000001e8c35e1cde [ 103.193647] x14: 0000000000000396 x13: 000000000000035c x12: 0000000000000000 [ 103.200772] x11: 000000000000003a x10: 00000000000009c0 x9 : ffff8000826eba20 [ 103.207897] x8 : ffff0000090b6d20 x7 : ffff00007728c180 x6 : ffff00007728c100 [ 103.215022] x5 : 0000000000000001 x4 : ffff000000508a50 x3 : ffff7ffff6146000 [ 103.222147] x2 : 0000000000000000 x1 : e300b4173ee6b200 x0 : 0000000000000000 [ 103.229274] Call trace: [ 103.231714] k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] (P) [ 103.238408] am65_cpsw_nuss_free_rx_chns+0x28/0x4c [ti_am65_cpsw_nuss] [ 103.244942] devm_action_release+0x14/0x20 [ 103.249040] release_nodes+0x3c/0x68 [ 103.252610] devres_release_all+0x8c/0xdc [ 103.256614] device_unbind_cleanup+0x18/0x60 [ 103.260876] device_release_driver_internal+0xf8/0x178 [ 103.266004] driver_detach+0x50/0x9c [ 103.269571] bus_remove_driver+0x6c/0xbc [ 103.273485] driver_unregister+0x30/0x60 [ 103.277401] platform_driver_unregister+0x14/0x20 [ 103.282096] am65_cpsw_nuss_driver_exit+0x18/0xff4 [ti_am65_cpsw_nuss] [ 103.288620] __arm64_sys_delete_module+0x17c/0x25c [ 103.293404] invoke_syscall+0x44/0x100 [ 103.297149] el0_svc_common.constprop.0+0xc0/0xe0 [ 103.301845] do_el0_svc+0x1c/0x28 [ 103.305155] el0_svc+0x28/0x98 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38043", "url": "https://ubuntu.com/security/CVE-2025-38043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38044", "url": "https://ubuntu.com/security/CVE-2025-38044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38065", "url": "https://ubuntu.com/security/CVE-2025-38065", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38066", "url": "https://ubuntu.com/security/CVE-2025-38066", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object. Reproduce steps: 1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata. cat <> cmeta.xml EOF dmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\" cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2 dmsetup remove cmeta 2. wipe the second array block of the mapping array to simulate data degradations. mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\ 2>/dev/null | hexdump -e '1/8 \"%u\\n\"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\ 2>/dev/null | hexdump -e '1/8 \"%u\\n\"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try bringing up the cache device. The resume is expected to fail due to the broken array block. dmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\" dmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\" dmsetup create corig --table \"0 524288 linear /dev/sdc 262144\" dmsetup create cache --notable dmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\" dmsetup resume cache 4. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings. dmsetup resume cache Kernel logs: (snip) ------------[ cut here ]------------ kernel BUG at drivers/md/dm-cache-policy-smq.c:752! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3 RIP: 0010:smq_load_mapping+0x3e5/0x570 Fix by disallowing resume operations for devices that failed the initial attempt.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38068", "url": "https://ubuntu.com/security/CVE-2025-38068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38069", "url": "https://ubuntu.com/security/CVE-2025-38069", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops Fix a kernel oops found while testing the stm32_pcie Endpoint driver with handling of PERST# deassertion: During EP initialization, pci_epf_test_alloc_space() allocates all BARs, which are further freed if epc_set_bar() fails (for instance, due to no free inbound window). However, when pci_epc_set_bar() fails, the error path: pci_epc_set_bar() -> pci_epf_free_space() does not clear the previous assignment to epf_test->reg[bar]. Then, if the host reboots, the PERST# deassertion restarts the BAR allocation sequence with the same allocation failure (no free inbound window), creating a double free situation since epf_test->reg[bar] was deallocated and is still non-NULL. Thus, make sure that pci_epf_alloc_space() and pci_epf_free_space() invocations are symmetric, and as such, set epf_test->reg[bar] to NULL when memory is freed. [kwilczynski: commit log]", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38045", "url": "https://ubuntu.com/security/CVE-2025-38045", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly. Now we implemented the dump split and do the FW reset only in the middle of the dump (rather than the FW killing itself on error.) As a result, some of the actions taken when applying the config will now crash the device, so we need to fix the order.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38070", "url": "https://ubuntu.com/security/CVE-2025-38070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: Add NULL check in sma1307_setting_loaded() All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added. This issue is found by our static analysis tool", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38071", "url": "https://ubuntu.com/security/CVE-2025-38071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_phys_free() to throw the first 4 MiB of physical memory to the wolves. At a minimum it should fail gracefully with a meaningful diagnostic, but in fact everything seems to work fine without the weird reserve allocation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38072", "url": "https://ubuntu.com/security/CVE-2025-38072", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38081", "url": "https://ubuntu.com/security/CVE-2025-38081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38047", "url": "https://ubuntu.com/security/CVE-2025-38047", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fred: Fix system hang during S4 resume with FRED enabled Upon a wakeup from S4, the restore kernel starts and initializes the FRED MSRs as needed from its perspective. It then loads a hibernation image, including the image kernel, and attempts to load image pages directly into their original page frames used before hibernation unless those frames are currently in use. Once all pages are moved to their original locations, it jumps to a \"trampoline\" page in the image kernel. At this point, the image kernel takes control, but the FRED MSRs still contain values set by the restore kernel, which may differ from those set by the image kernel before hibernation. Therefore, the image kernel must ensure the FRED MSRs have the same values as before hibernation. Since these values depend only on the location of the kernel text and data, they can be recomputed from scratch.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38073", "url": "https://ubuntu.com/security/CVE-2025-38073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case that set_blocksize can change i_blksize and the folio order in a manner that conflicts with a concurrent reader and causes a kernel crash. Specifically, let's say that udev-worker calls libblkid to detect the labels on a block device. The read call can create an order-0 folio to read the first 4096 bytes from the disk. But then udev is preempted. Next, someone tries to mount an 8k-sectorsize filesystem from the same block device. The filesystem calls set_blksize, which sets i_blksize to 8192 and the minimum folio order to 1. Now udev resumes, still holding the order-0 folio it allocated. It then tries to schedule a read bio and do_mpage_readahead tries to create bufferheads for the folio. Unfortunately, blocks_per_folio == 0 because the page size is 4096 but the blocksize is 8192 so no bufferheads are attached and the bh walk never sets bdev. We then submit the bio with a NULL block device and crash. Therefore, truncate the page cache after flushing but before updating i_blksize. However, that's not enough -- we also need to lock out file IO and page faults during the update. Take both the i_rwsem and the invalidate_lock in exclusive mode for invalidations, and in shared mode for read/write operations. I don't know if this is the correct fix, but xfs/259 found it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38048", "url": "https://ubuntu.com/security/CVE-2025-38048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38075", "url": "https://ubuntu.com/security/CVE-2025-38075", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod] call_timer_fn+0x58/0x1f0 run_timer_softirq+0x740/0x860 __do_softirq+0x16c/0x420 irq_exit+0x188/0x1c0 timer_interrupt+0x184/0x410 That is because nopin response timer may be re-started on nopin timer expiration. Stop nopin timer before stopping the nopin response timer to be sure that no one of them will be re-started.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2025-38056", "url": "https://ubuntu.com/security/CVE-2025-38056", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix UAF when reloading module hda_generic_machine_select() appends -idisp to the tplg filename by allocating a new string with devm_kasprintf(), then stores the string right back into the global variable snd_soc_acpi_intel_hda_machines. When the module is unloaded, this memory is freed, resulting in a global variable pointing to freed memory. Reloading the module then triggers a use-after-free: BUG: KFENCE: use-after-free read in string+0x48/0xe0 Use-after-free read at 0x00000000967e0109 (in kfence-#99): string+0x48/0xe0 vsnprintf+0x329/0x6e0 devm_kvasprintf+0x54/0xb0 devm_kasprintf+0x58/0x80 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic] sof_probe_work+0x7f/0x600 [snd_sof] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 kfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64 allocated by task 333 on cpu 8 at 17.798069s (130.453553s ago): devm_kmalloc+0x52/0x120 devm_kvasprintf+0x66/0xb0 devm_kasprintf+0x58/0x80 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic] sof_probe_work+0x7f/0x600 [snd_sof] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 freed by task 1543 on cpu 4 at 141.586686s (6.665010s ago): release_nodes+0x43/0xb0 devres_release_all+0x90/0xf0 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1c1/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x42/0xb0 __do_sys_delete_module+0x1d1/0x310 do_syscall_64+0x82/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it by copying the match array with devm_kmemdup_array() before we modify it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38008", "url": "https://ubuntu.com/security/CVE-2025-38008", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: fix race condition in unaccepted memory handling The page allocator tracks the number of zones that have unaccepted memory using static_branch_enc/dec() and uses that static branch in hot paths to determine if it needs to deal with unaccepted memory. Borislav and Thomas pointed out that the tracking is racy: operations on static_branch are not serialized against adding/removing unaccepted pages to/from the zone. Sanity checks inside static_branch machinery detects it: WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0 The comment around the WARN() explains the problem: \t/* \t * Warn about the '-1' case though; since that means a \t * decrement is concurrent with a first (0->1) increment. IOW \t * people are trying to disable something that wasn't yet fully \t * enabled. This suggests an ordering problem on the user side. \t */ The effect of this static_branch optimization is only visible on microbenchmark. Instead of adding more complexity around it, remove it altogether.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38014", "url": "https://ubuntu.com/security/CVE-2025-38014", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38015", "url": "https://ubuntu.com/security/CVE-2025-38015", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38005", "url": "https://ubuntu.com/security/CVE-2025-38005", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38009", "url": "https://ubuntu.com/security/CVE-2025-38009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b (\"net: warn if NAPI instance wasn't shut down\"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38010", "url": "https://ubuntu.com/security/CVE-2025-38010", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 (\"xhci: tegra: USB2 pad power controls\"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38011", "url": "https://ubuntu.com/security/CVE-2025-38011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38016", "url": "https://ubuntu.com/security/CVE-2025-38016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: bpf: abort dispatch if device destroyed The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages. The bug will be triggered if the conditions below are met: A) a device under the driver has some LEDs on B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver) If condition A is met, hidinput_led_worker() is always scheduled *after* hid_bpf_destroy_device(). hid_destroy_device ` hid_bpf_destroy_device ` cleanup_srcu_struct(&hdev->bpf.srcu) ` hid_remove_device ` ... ` led_classdev_unregister ` led_trigger_set(led_cdev, NULL) ` led_set_brightness(led_cdev, LED_OFF) ` ... ` input_inject_event ` input_event_dispose ` hidinput_input_event ` schedule_work(&hid->led_work) [hidinput_led_worker] This is fine when condition B is not met, where hidinput_led_worker() calls hid_ll_driver->request(). This is the case for most HID drivers, which implement it or use the generic one from usbhid. The driver itself or an underlying driver will then abort processing the request. Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads to the bug. hidinput_led_worker ` hid_hw_output_report ` dispatch_hid_bpf_output_report ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) The bug has existed since the introduction [2] of dispatch_hid_bpf_output_report(). However, the same bug also exists in dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect because of the lack of [1], but confirmed bpf.destroyed == 1) the bug against the commit (i.e., the Fixes:) introducing the function. This is because hidinput_led_worker() falls back to hid_hw_raw_request() when hid_ll_driver->output_report() is uninplemented (e.g., logitech- djreceiver). hidinput_led_worker ` hid_hw_output_report: -ENOSYS ` hid_hw_raw_request ` dispatch_hid_bpf_raw_requests ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) Fix the issue by returning early in the two mentioned functions if hid_bpf has been marked as destroyed. Though dispatch_hid_bpf_device_event() handles input events, and there is no evidence that it may be called after the destruction, the same check, as a safety net, is also added to it to maintain the consistency among all dispatch functions. The impact of the bug on other architectures is unclear. Even if it acts as a hidden failure, this is still dangerous because it corrupts whatever is on the address calculated by SRCU. Thus, CC'ing the stable list. [1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Use relative percpu offsets\") [2]: commit 9286675a2aed (\"HID: bpf: add HID-BPF hooks for hid_hw_output_report\")", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38012", "url": "https://ubuntu.com/security/CVE-2025-38012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator BPF programs may call next() and destroy() on BPF iterators even after new() returns an error value (e.g. bpf_for_each() macro ignores error returns from new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized state after an error return causing bpf_iter_scx_dsq_next() to dereference garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that next() and destroy() become noops.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38018", "url": "https://ubuntu.com/security/CVE-2025-38018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38019", "url": "https://ubuntu.com/security/CVE-2025-38019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP (Note that the neighbor is not marked with 'offload') When the driver is reloaded and the existing configuration is replayed, the driver does not perform the same check regarding existing neighbors and offloads the previously added one: # devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP If the neighbor is later deleted, the driver will ignore the notification (given the GRE net device is not its upper) and will therefore keep referencing freed memory, resulting in a use-after-free [1] when the net device is deleted: # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1 Fix by skipping neighbor replay if the net device for which the replay is performed is not our upper. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200 Read of size 8 at addr ffff888155b0e420 by task ip/2282 [...] Call Trace: dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6f/0x350 print_report+0x108/0x205 kasan_report+0xdf/0x110 mlxsw_sp_neigh_entry_update+0x1ea/0x200 mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 mlxsw_sp_rif_destroy+0x1e9/0x750 mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 notifier_call_chain+0xca/0x150 call_netdevice_notifiers_info+0x7f/0x100 unregister_netdevice_many_notify+0xc8c/0x1d90 rtnl_dellink+0x34e/0xa50 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38013", "url": "https://ubuntu.com/security/CVE-2025-38013", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the \"sizeof(void *)\" not matching the \"channels\" array type.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38002", "url": "https://ubuntu.com/security/CVE-2025-38002", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo() Not everything requires locking in there, which is why the 'has_lock' variable exists. But enough does that it's a bit unwieldy to manage. Wrap the whole thing in a ->uring_lock trylock, and just return with no output if we fail to grab it. The existing trylock() will already have greatly diminished utility/output for the failure case. This fixes an issue with reading the SQE fields, if the ring is being actively resized at the same time.", "cve_priority": "medium", "cve_public_date": "2025-06-06 14:15:00 UTC" }, { "cve": "CVE-2025-38027", "url": "https://ubuntu.com/security/CVE-2025-38027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\\xc0$\\xa5\\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38020", "url": "https://ubuntu.com/security/CVE-2025-38020", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38021", "url": "https://ubuntu.com/security/CVE-2025-38021", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check of pipe_ctx->plane_state for update_dchubp_dpp Similar to commit 6a057072ddd1 (\"drm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe\") that addresses a null pointer dereference on dcn20_update_dchubp_dpp. This is the same function hooked for update_dchubp_dpp in dcn401, with the same issue. Fix possible null pointer deference on dcn401_program_pipe too. (cherry picked from commit d8d47f739752227957d8efc0cb894761bfe1d879)", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38006", "url": "https://ubuntu.com/security/CVE-2025-38006", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox \"ip addr show\". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-37992", "url": "https://ubuntu.com/security/CVE-2025-37992", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines.", "cve_priority": "medium", "cve_public_date": "2025-05-26 15:15:00 UTC" }, { "cve": "CVE-2025-38022", "url": "https://ubuntu.com/security/CVE-2025-38022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent().", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38028", "url": "https://ubuntu.com/security/CVE-2025-38028", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS/localio: Fix a race in nfs_local_open_fh() Once the clp->cl_uuid.lock has been dropped, another CPU could come in and free the struct nfsd_file that was just added. To prevent that from happening, take the RCU read lock before dropping the spin lock.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38023", "url": "https://ubuntu.com/security/CVE-2025-38023", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38007", "url": "https://ubuntu.com/security/CVE-2025-38007", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38024", "url": "https://ubuntu.com/security/CVE-2025-38024", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38025", "url": "https://ubuntu.com/security/CVE-2025-38025", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7606: check for NULL before calling sw_mode_config() Check that the sw_mode_config function pointer is not NULL before calling it. Not all buses define this callback, which resulted in a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-37963", "url": "https://ubuntu.com/security/CVE-2025-37963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Support for eBPF programs loaded by unprivileged users is typically disabled. This means only cBPF programs need to be mitigated for BHB. In addition, only mitigate cBPF programs that were loaded by an unprivileged user. Privileged users can also load the same program via eBPF, making the mitigation pointless.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37948", "url": "https://ubuntu.com/security/CVE-2025-37948", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs A malicious BPF program may manipulate the branch history to influence what the hardware speculates will happen next. On exit from a BPF program, emit the BHB mititgation sequence. This is only applied for 'classic' cBPF programs that are loaded by seccomp.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37994", "url": "https://ubuntu.com/security/CVE-2025-37994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37967", "url": "https://ubuntu.com/security/CVE-2025-37967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix deadlock This patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock functions to the UCSI driver. ucsi_con_mutex_lock ensures the connector mutex is only locked if a connection is established and the partner pointer is valid. This resolves a deadlock scenario where ucsi_displayport_remove_partner holds con->mutex waiting for dp_altmode_work to complete while dp_altmode_work attempts to acquire it.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37950", "url": "https://ubuntu.com/security/CVE-2025-37950", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix panic in failed foilio allocation commit 7e119cff9d0a (\"ocfs2: convert w_pages to w_folios\") and commit 9a5e08652dc4b (\"ocfs2: use an array of folios instead of an array of pages\") save -ENOMEM in the folio array upon allocation failure and call the folio array free code. The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37995", "url": "https://ubuntu.com/security/CVE-2025-37995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37960", "url": "https://ubuntu.com/security/CVE-2025-37960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: memblock: Accept allocated memory before use in memblock_double_array() When increasing the array size in memblock_double_array() and the slab is not yet available, a call to memblock_find_in_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which can result in a crash when booting an SNP guest: RIP: 0010:memcpy_orig+0x68/0x130 Code: ... RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006 RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000 RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00 RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000 R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78 R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00 memblock_double_array+0xff/0x310 memblock_add_range+0x1fb/0x2f0 memblock_reserve+0x4f/0xa0 memblock_alloc_range_nid+0xac/0x130 memblock_alloc_internal+0x53/0xc0 memblock_alloc_try_nid+0x3d/0xa0 swiotlb_init_remap+0x149/0x2f0 mem_init+0xb/0xb0 mm_core_init+0x8f/0x350 start_kernel+0x17e/0x5d0 x86_64_start_reservations+0x14/0x30 x86_64_start_kernel+0x92/0xa0 secondary_startup_64_no_verify+0x194/0x19b Mitigate this by calling accept_memory() on the memory range returned before the slab is available. Prior to v6.12, the accept_memory() interface used a 'start' and 'end' parameter instead of 'start' and 'size', therefore the accept_memory() call must be adjusted to specify 'start + size' for 'end' when applying to kernels prior to v6.12.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37996", "url": "https://ubuntu.com/security/CVE-2025-37996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Commit fce886a60207 (\"KVM: arm64: Plumb the pKVM MMU in KVM\") made the initialization of the local memcache variable in user_mem_abort() conditional, leaving a codepath where it is used uninitialized via kvm_pgtable_stage2_map(). This can fail on any path that requires a stage-2 allocation without transition via a permission fault or dirty logging. Fix this by making sure that memcache is always valid.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37949", "url": "https://ubuntu.com/security/CVE-2025-37949", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xenbus: Use kref to track req lifetime Marek reported seeing a NULL pointer fault in the xenbus_thread callstack: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: e030:__wake_up_common+0x4c/0x180 Call Trace: __wake_up_common_lock+0x82/0xd0 process_msg+0x18e/0x2f0 xenbus_thread+0x165/0x1c0 process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems like it was xs_wake_up() in this case. It seems like req may have woken up the xs_wait_for_reply(), which kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed data. Linux Device Drivers 2nd edition states: \"Normally, a wake_up call can cause an immediate reschedule to happen, meaning that other processes might run before wake_up returns.\" ... which would match the behaviour observed. Change to keeping two krefs on each request. One for the caller, and one for xenbus_thread. Each will kref_put() when finished, and the last will free it. This use of kref matches the description in Documentation/core-api/kref.rst", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37954", "url": "https://ubuntu.com/security/CVE-2025-37954", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Avoid race in open_cached_dir with lease breaks A pre-existing valid cfid returned from find_or_create_cached_dir might race with a lease break, meaning open_cached_dir doesn't consider it valid, and thinks it's newly-constructed. This leaks a dentry reference if the allocation occurs before the queued lease break work runs. Avoid the race by extending holding the cfid_list_lock across find_or_create_cached_dir and when the result is checked.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37965", "url": "https://ubuntu.com/security/CVE-2025-37965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix invalid context error in dml helper [Why] \"BUG: sleeping function called from invalid context\" error. after: \"drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()\" The populate_dml_plane_cfg_from_plane_state() uses the GFP_KERNEL flag for memory allocation, which shouldn't be used in atomic contexts. The allocation is needed only for using another helper function get_scaler_data_for_plane(). [How] Modify helpers to pass a pointer to scaler_data within existing context, eliminating the need for dynamic memory allocation/deallocation and copying. (cherry picked from commit bd3e84bc98f81b44f2c43936bdadc3241d654259)", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37951", "url": "https://ubuntu.com/security/CVE-2025-37951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Add job to pending list if the reset was skipped When a CL/CSD job times out, we check if the GPU has made any progress since the last timeout. If so, instead of resetting the hardware, we skip the reset and let the timer get rearmed. This gives long-running jobs a chance to complete. However, when `timedout_job()` is called, the job in question is removed from the pending list, which means it won't be automatically freed through `free_job()`. Consequently, when we skip the reset and keep the job running, the job won't be freed when it finally completes. This situation leads to a memory leak, as exposed in [1] and [2]. Similarly to commit 704d3d60fec4 (\"drm/etnaviv: don't block scheduler when GPU is still active\"), this patch ensures the job is put back on the pending list when extending the timeout.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37968", "url": "https://ubuntu.com/security/CVE-2025-37968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37969", "url": "https://ubuntu.com/security/CVE-2025-37969", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Prevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37970", "url": "https://ubuntu.com/security/CVE-2025-37970", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Prevent st_lsm6dsx_read_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37966", "url": "https://ubuntu.com/security/CVE-2025-37966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL When userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not available, the kernel crashes: Oops - illegal instruction [#1] [snip] epc : set_tagged_addr_ctrl+0x112/0x15a ra : set_tagged_addr_ctrl+0x74/0x15a epc : ffffffff80011ace ra : ffffffff80011a30 sp : ffffffc60039be10 [snip] status: 0000000200000120 badaddr: 0000000010a79073 cause: 0000000000000002 set_tagged_addr_ctrl+0x112/0x15a __riscv_sys_prctl+0x352/0x73c do_trap_ecall_u+0x17c/0x20c andle_exception+0x150/0x15c Fix it by checking if Supm is available.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37957", "url": "https://ubuntu.com/security/CVE-2025-37957", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Previously, commit ed129ec9057f (\"KVM: x86: forcibly leave nested mode on vCPU reset\") addressed an issue where a triple fault occurring in nested mode could lead to use-after-free scenarios. However, the commit did not handle the analogous situation for System Management Mode (SMM). This omission results in triggering a WARN when KVM forces a vCPU INIT after SHUTDOWN interception while the vCPU is in SMM. This situation was reprodused using Syzkaller by: 1) Creating a KVM VM and vCPU 2) Sending a KVM_SMI ioctl to explicitly enter SMM 3) Executing invalid instructions causing consecutive exceptions and eventually a triple fault The issue manifests as follows: WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112 kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Modules linked in: CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted 6.1.130-syzkaller-00157-g164fe5dde9b6 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Call Trace: shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136 svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395 svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457 vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline] vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062 kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283 kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Architecturally, INIT is blocked when the CPU is in SMM, hence KVM's WARN() in kvm_vcpu_reset() to guard against KVM bugs, e.g. to detect improper emulation of INIT. SHUTDOWN on SVM is a weird edge case where KVM needs to do _something_ sane with the VMCB, since it's technically undefined, and INIT is the least awful choice given KVM's ABI. So, double down on stuffing INIT on SHUTDOWN, and force the vCPU out of SMM to avoid any weirdness (and the WARN). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [sean: massage changelog, make it clear this isn't architectural behavior]", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37964", "url": "https://ubuntu.com/security/CVE-2025-37964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Eliminate window where TLB flushes may be inadvertently skipped tl;dr: There is a window in the mm switching code where the new CR3 is set and the CPU should be getting TLB flushes for the new mm. But should_flush_tlb() has a bug and suppresses the flush. Fix it by widening the window where should_flush_tlb() sends an IPI. Long Version: === History === There were a few things leading up to this. First, updating mm_cpumask() was observed to be too expensive, so it was made lazier. But being lazy caused too many unnecessary IPIs to CPUs due to the now-lazy mm_cpumask(). So code was added to cull mm_cpumask() periodically[2]. But that culling was a bit too aggressive and skipped sending TLB flushes to CPUs that need them. So here we are again. === Problem === The too-aggressive code in should_flush_tlb() strikes in this window: \t// Turn on IPIs for this CPU/mm combination, but only \t// if should_flush_tlb() agrees: \tcpumask_set_cpu(cpu, mm_cpumask(next)); \tnext_tlb_gen = atomic64_read(&next->context.tlb_gen); \tchoose_new_asid(next, next_tlb_gen, &new_asid, &need_flush); \tload_new_mm_cr3(need_flush); \t// ^ After 'need_flush' is set to false, IPIs *MUST* \t// be sent to this CPU and not be ignored. this_cpu_write(cpu_tlbstate.loaded_mm, next); \t// ^ Not until this point does should_flush_tlb() \t// become true! should_flush_tlb() will suppress TLB flushes between load_new_mm_cr3() and writing to 'loaded_mm', which is a window where they should not be suppressed. Whoops. === Solution === Thankfully, the fuzzy \"just about to write CR3\" window is already marked with loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in should_flush_tlb() is sufficient to ensure that the CPU is targeted with an IPI. This will cause more TLB flush IPIs. But the window is relatively small and I do not expect this to cause any kind of measurable performance impact. Update the comment where LOADED_MM_SWITCHING is written since it grew yet another user. Peter Z also raised a concern that should_flush_tlb() might not observe 'loaded_mm' and 'is_lazy' in the same order that switch_mm_irqs_off() writes them. Add a barrier to ensure that they are observed in the order they are written.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37971", "url": "https://ubuntu.com/security/CVE-2025-37971", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: bcm2835-camera: Initialise dev in v4l2_dev Commit 42a2f6664e18 (\"staging: vc04_services: Move global g_state to vchiq_state\") changed mmal_init to pass dev->v4l2_dev.dev to vchiq_mmal_init, however nothing iniitialised dev->v4l2_dev, so we got a NULL pointer dereference. Set dev->v4l2_dev.dev during bcm2835_mmal_probe. The device pointer could be passed into v4l2_device_register to set it, however that also has other effects that would need additional changes.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37972", "url": "https://ubuntu.com/security/CVE-2025-37972", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: mtk-pmic-keys - fix possible null pointer dereference In mtk_pmic_keys_probe, the regs parameter is only set if the button is parsed in the device tree. However, on hardware where the button is left floating, that node will most likely be removed not to enable that input. In that case the code will try to dereference a null pointer. Let's use the regs struct instead as it is defined for all supported platforms. Note that it is ok setting the key reg even if that latter is disabled as the interrupt won't be enabled anyway.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37959", "url": "https://ubuntu.com/security/CVE-2025-37959", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be \"misused\" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows (1) the packet path from the host's XFRM layer to the container's XFRM layer where it's dropped and (2) the number of active skb extensions at each function. NETNS MARK IFACE TUPLE FUNC 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive .active_extensions = (__u8)2, [...] 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core .active_extensions = (__u8)2, [...] 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY) .active_extensions = (__u8)2, In this case, there are no XFRM policies in the container's network namespace so the drop is unexpected. When we decrypt the IPsec packet, the XFRM state used for decryption is set in the skb extensions. This information is preserved across the netns switch. When we reach the XFRM policy check in the container's netns, __xfrm_policy_check drops the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM policy can't be found that matches the (host-side) XFRM state used for decryption. This patch fixes this by scrubbing the packet when using bpf_redirect_peer, as is done on typical netns switches via veth devices except skb->mark and skb->tstamp are not zeroed.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37961", "url": "https://ubuntu.com/security/CVE-2025-37961", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 (\"ipvs: do not use random local source address for tunnels\") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4167 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline] __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef) Hardware name: Google Google Compute Engi ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37993", "url": "https://ubuntu.com/security/CVE-2025-37993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe The spin lock tx_handling_spinlock in struct m_can_classdev is not being initialized. This leads the following spinlock bad magic complaint from the kernel, eg. when trying to send CAN frames with cansend from can-utils: | BUG: spinlock bad magic on CPU#0, cansend/95 | lock: 0xff60000002ec1010, .magic: 00000000, .owner: /-1, .owner_cpu: 0 | CPU: 0 UID: 0 PID: 95 Comm: cansend Not tainted 6.15.0-rc3-00032-ga79be02bba5c #5 NONE | Hardware name: MachineWare SIM-V (DT) | Call Trace: | [] dump_backtrace+0x1c/0x24 | [] show_stack+0x28/0x34 | [] dump_stack_lvl+0x4a/0x68 | [] dump_stack+0x14/0x1c | [] spin_dump+0x62/0x6e | [] do_raw_spin_lock+0xd0/0x142 | [] _raw_spin_lock_irqsave+0x20/0x2c | [] m_can_start_xmit+0x90/0x34a | [] dev_hard_start_xmit+0xa6/0xee | [] sch_direct_xmit+0x114/0x292 | [] __dev_queue_xmit+0x3b0/0xaa8 | [] can_send+0xc6/0x242 | [] raw_sendmsg+0x1a8/0x36c | [] sock_write_iter+0x9a/0xee | [] vfs_write+0x184/0x3a6 | [] ksys_write+0xa0/0xc0 | [] __riscv_sys_write+0x14/0x1c | [] do_trap_ecall_u+0x168/0x212 | [] handle_exception+0x146/0x152 Initializing the spin lock in m_can_class_allocate_dev solves that problem.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37955", "url": "https://ubuntu.com/security/CVE-2025-37955", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() The selftests added to our CI by Bui Quang Minh recently reveals that there is a mem leak on the error path of virtnet_xsk_pool_enable(): unreferenced object 0xffff88800a68a000 (size 2048): comm \"xdp_helper\", pid 318, jiffies 4294692778 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): __kvmalloc_node_noprof+0x402/0x570 virtnet_xsk_pool_enable+0x293/0x6a0 (drivers/net/virtio_net.c:5882) xp_assign_dev+0x369/0x670 (net/xdp/xsk_buff_pool.c:226) xsk_bind+0x6a5/0x1ae0 __sys_bind+0x15e/0x230 __x64_sys_bind+0x72/0xb0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37962", "url": "https://ubuntu.com/security/CVE-2025-37962", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leak in parse_lease_state() The previous patch that added bounds check for create lease context introduced a memory leak. When the bounds check fails, the function returns NULL without freeing the previously allocated lease_ctx_info structure. This patch fixes the issue by adding kfree(lreq) before returning NULL in both boundary check cases.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37998", "url": "https://ubuntu.com/security/CVE-2025-37998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37952", "url": "https://ubuntu.com/security/CVE-2025-37952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix UAF in __close_file_table_ids A use-after-free is possible if one thread destroys the file via __ksmbd_close_fd while another thread holds a reference to it. The existing checks on fp->refcount are not sufficient to prevent this. The fix takes ft->lock around the section which removes the file from the file table. This prevents two threads acquiring the same file pointer via __close_file_table_ids, as well as the other functions which retrieve a file from the IDR and which already use this same lock.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37947", "url": "https://ubuntu.com/security/CVE-2025-37947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37956", "url": "https://ubuntu.com/security/CVE-2025-37956", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent rename with empty string Client can send empty newname string to ksmbd server. It will cause a kernel oops from d_alloc. This patch return the error when attempting to rename a file or directory with an empty new name string.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37973", "url": "https://ubuntu.com/security/CVE-2025-37973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37999", "url": "https://ubuntu.com/security/CVE-2025-37999", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() If bio_add_folio() fails (because it is full), erofs_fileio_scan_folio() needs to submit the I/O request via erofs_fileio_rq_submit() and allocate a new I/O request with an empty `struct bio`. Then it retries the bio_add_folio() call. However, at this point, erofs_onlinefolio_split() has already been called which increments `folio->private`; the retry will call erofs_onlinefolio_split() again, but there will never be a matching erofs_onlinefolio_end() call. This leaves the folio locked forever and all waiters will be stuck in folio_wait_bit_common(). This bug has been added by commit ce63cb62d794 (\"erofs: support unencoded inodes for fileio\"), but was practically unreachable because there was room for 256 folios in the `struct bio` - until commit 9f74ae8c9ac9 (\"erofs: shorten bvecs[] for file-backed mounts\") which reduced the array capacity to 16 folios. It was now trivial to trigger the bug by manually invoking readahead from userspace, e.g.: posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED); This should be fixed by invoking erofs_onlinefolio_split() only after bio_add_folio() has succeeded. This is safe: asynchronous completions invoking erofs_onlinefolio_end() will not unlock the folio because erofs_fileio_scan_folio() is still holding a reference to be released by erofs_onlinefolio_end() at the end.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2025-37946", "url": "https://ubuntu.com/security/CVE-2025-37946", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 (\"s390/pci: introduce lock to synchronize state of zpci_dev's\") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put().", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37974", "url": "https://ubuntu.com/security/CVE-2025-37974", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix missing check for zpci_create_device() error return The zpci_create_device() function returns an error pointer that needs to be checked before dereferencing it as a struct zpci_dev pointer. Add the missing check in __clp_add() where it was missed when adding the scan_list in the fixed commit. Simply not adding the device to the scan list results in the previous behavior.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37903", "url": "https://ubuntu.com/security/CVE-2025-37903", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10 [ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233 [ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024 [ 66.776186] Workqueue: events event_property_validate [amdgpu] [ 66.776494] Call Trace: [ 66.776496] [ 66.776497] dump_stack_lvl+0x70/0xa0 [ 66.776504] print_report+0x175/0x555 [ 66.776507] ? __virt_addr_valid+0x243/0x450 [ 66.776510] ? kasan_complete_mode_report_info+0x66/0x1c0 [ 66.776515] kasan_report+0xeb/0x1c0 [ 66.776518] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776819] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777121] __asan_report_load4_noabort+0x14/0x20 [ 66.777124] event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777342] ? __lock_acquire+0x6b40/0x6b40 [ 66.777347] ? enable_assr+0x250/0x250 [amdgpu] [ 66.777571] process_one_work+0x86b/0x1510 [ 66.777575] ? pwq_dec_nr_in_flight+0xcf0/0xcf0 [ 66.777578] ? assign_work+0x16b/0x280 [ 66.777580] ? lock_is_held_type+0xa3/0x130 [ 66.777583] worker_thread+0x5c0/0xfa0 [ 66.777587] ? process_one_work+0x1510/0x1510 [ 66.777588] kthread+0x3a2/0x840 [ 66.777591] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777594] ? trace_hardirqs_on+0x4f/0x60 [ 66.777597] ? _raw_spin_unlock_irq+0x27/0x60 [ 66.777599] ? calculate_sigpending+0x77/0xa0 [ 66.777602] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777605] ret_from_fork+0x40/0x90 [ 66.777607] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777609] ret_from_fork_asm+0x11/0x20 [ 66.777614] [ 66.777643] Allocated by task 10: [ 66.777646] kasan_save_stack+0x39/0x60 [ 66.777649] kasan_save_track+0x14/0x40 [ 66.777652] kasan_save_alloc_info+0x37/0x50 [ 66.777655] __kasan_kmalloc+0xbb/0xc0 [ 66.777658] __kmalloc_cache_noprof+0x1c8/0x4b0 [ 66.777661] dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu] [ 66.777880] drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper] [ 66.777892] drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper] [ 66.777901] drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper] [ 66.777909] drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper] [ 66.777917] process_one_work+0x86b/0x1510 [ 66.777919] worker_thread+0x5c0/0xfa0 [ 66.777922] kthread+0x3a2/0x840 [ 66.777925] ret_from_fork+0x40/0x90 [ 66.777927] ret_from_fork_asm+0x11/0x20 [ 66.777932] Freed by task 1713: [ 66.777935] kasan_save_stack+0x39/0x60 [ 66.777938] kasan_save_track+0x14/0x40 [ 66.777940] kasan_save_free_info+0x3b/0x60 [ 66.777944] __kasan_slab_free+0x52/0x70 [ 66.777946] kfree+0x13f/0x4b0 [ 66.777949] dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu] [ 66.778179] drm_connector_free+0x7d/0xb0 [ 66.778184] drm_mode_object_put.part.0+0xee/0x160 [ 66.778188] drm_mode_object_put+0x37/0x50 [ 66.778191] drm_atomic_state_default_clear+0x220/0xd60 [ 66.778194] __drm_atomic_state_free+0x16e/0x2a0 [ 66.778197] drm_mode_atomic_ioctl+0x15ed/0x2ba0 [ 66.778200] drm_ioctl_kernel+0x17a/0x310 [ 66.778203] drm_ioctl+0x584/0xd10 [ 66.778206] amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu] [ 66.778375] __x64_sys_ioctl+0x139/0x1a0 [ 66.778378] x64_sys_call+0xee7/0xfb0 [ 66.778381] ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37904", "url": "https://ubuntu.com/security/CVE-2025-37904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix the inode leak in btrfs_iget() [BUG] There is a bug report that a syzbot reproducer can lead to the following busy inode at unmount time: BTRFS info (device loop1): last unmount of filesystem 1680000e-3c1e-4c46-84b6-56bd3909af50 VFS: Busy inodes after unmount of loop1 (btrfs) ------------[ cut here ]------------ kernel BUG at fs/super.c:650! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 48168 Comm: syz-executor Not tainted 6.15.0-rc2-00471-g119009db2674 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:generic_shutdown_super+0x2e9/0x390 fs/super.c:650 Call Trace: kill_anon_super+0x3a/0x60 fs/super.c:1237 btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2099 deactivate_locked_super+0xbe/0x1a0 fs/super.c:473 deactivate_super fs/super.c:506 [inline] deactivate_super+0xe2/0x100 fs/super.c:502 cleanup_mnt+0x21f/0x440 fs/namespace.c:1435 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x269/0x290 kernel/entry/common.c:218 do_syscall_64+0xd4/0x250 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSE] When btrfs_alloc_path() failed, btrfs_iget() directly returned without releasing the inode already allocated by btrfs_iget_locked(). This results the above busy inode and trigger the kernel BUG. [FIX] Fix it by calling iget_failed() if btrfs_alloc_path() failed. If we hit error inside btrfs_read_locked_inode(), it will properly call iget_failed(), so nothing to worry about. Although the iget_failed() cleanup inside btrfs_read_locked_inode() is a break of the normal error handling scheme, let's fix the obvious bug and backport first, then rework the error handling later.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37905", "url": "https://ubuntu.com/security/CVE-2025-37905", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release methods upon devices destruction. As a consequence, one of the structures that is not freed properly upon destruction is the internal struct device_private dev->p populated by the drivers subsystem core. KMemleak detects this situation since loading/unloding some SCMI driver causes related devices to be created/destroyed without calling any device_release method. unreferenced object 0xffff00000f583800 (size 512): comm \"insmod\", pid 227, jiffies 4294912190 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff ........`6...... backtrace (crc 114e2eed): kmemleak_alloc+0xbc/0xd8 __kmalloc_cache_noprof+0x2dc/0x398 device_add+0x954/0x12d0 device_register+0x28/0x40 __scmi_device_create.part.0+0x1bc/0x380 scmi_device_create+0x2d0/0x390 scmi_create_protocol_devices+0x74/0xf8 scmi_device_request_notifier+0x1f8/0x2a8 notifier_call_chain+0x110/0x3b0 blocking_notifier_call_chain+0x70/0xb0 scmi_driver_register+0x350/0x7f0 0xffff80000a3b3038 do_one_initcall+0x12c/0x730 do_init_module+0x1dc/0x640 load_module+0x4b20/0x5b70 init_module_from_file+0xec/0x158 $ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0 device_add+0x954/0x12d0: kmalloc_noprof at include/linux/slab.h:901 (inlined by) kzalloc_noprof at include/linux/slab.h:1037 (inlined by) device_private_init at drivers/base/core.c:3510 (inlined by) device_add at drivers/base/core.c:3561 Balance device refcount by issuing a put_device() on devices found via device_find_child().", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37906", "url": "https://ubuntu.com/security/CVE-2025-37906", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd ublk_cancel_cmd() calls io_uring_cmd_done() to complete uring_cmd, but we may have scheduled task work via io_uring_cmd_complete_in_task() for dispatching request, then kernel crash can be triggered. Fix it by not trying to canceling the command if ublk block request is started.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37907", "url": "https://ubuntu.com/security/CVE-2025-37907", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix locking order in ivpu_job_submit Fix deadlock in job submission and abort handling. When a thread aborts currently executing jobs due to a fault, it first locks the global lock protecting submitted_jobs (#1). After the last job is destroyed, it proceeds to release the related context and locks file_priv (#2). Meanwhile, in the job submission thread, the file_priv lock (#2) is taken first, and then the submitted_jobs lock (#1) is obtained when a job is added to the submitted jobs list. CPU0 CPU1 ---- \t ---- (for example due to a fault) (jobs submissions keep coming) lock(&vdev->submitted_jobs_lock) #1 ivpu_jobs_abort_all() job_destroy() lock(&file_priv->lock) #2 lock(&vdev->submitted_jobs_lock) #1 file_priv_release() lock(&vdev->context_list_lock) lock(&file_priv->lock) #2 This order of locking causes a deadlock. To resolve this issue, change the order of locking in ivpu_job_submit().", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37908", "url": "https://ubuntu.com/security/CVE-2025-37908", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, slab: clean up slab->obj_exts always When memory allocation profiling is disabled at runtime or due to an error, shutdown_mem_profiling() is called: slab->obj_exts which previously allocated remains. It won't be cleared by unaccount_slab() because of mem_alloc_profiling_enabled() not true. It's incorrect, slab->obj_exts should always be cleaned up in unaccount_slab() to avoid following error: [...]BUG: Bad page state in process... .. [...]page dumped because: page still charged to cgroup [andriy.shevchenko@linux.intel.com: fold need_slab_obj_ext() into its only user]", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37933", "url": "https://ubuntu.com/security/CVE-2025-37933", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix host hang issue during device reboot When the host loses heartbeat messages from the device, the driver calls the device-specific ndo_stop function, which frees the resources. If the driver is unloaded in this scenario, it calls ndo_stop again, attempting to free resources that have already been freed, leading to a host hang issue. To resolve this, dev_close should be called instead of the device-specific stop function.dev_close internally calls ndo_stop to stop the network interface and performs additional cleanup tasks. During the driver unload process, if the device is already down, ndo_stop is not called.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37909", "url": "https://ubuntu.com/security/CVE-2025-37909", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37910", "url": "https://ubuntu.com/security/CVE-2025-37910", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations On Adva boards, SMA sysfs store/get operations can call __handle_signal_outputs() or __handle_signal_inputs() while the `irig` and `dcf` pointers are uninitialized, leading to a NULL pointer dereference in __handle_signal() and causing a kernel crash. Adva boards don't use `irig` or `dcf` functionality, so add Adva-specific callbacks `ptp_ocp_sma_adva_set_outputs()` and `ptp_ocp_sma_adva_set_inputs()` that avoid invoking `irig` or `dcf` input/output routines.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37894", "url": "https://ubuntu.com/security/CVE-2025-37894", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT It is possible for a pointer of type struct inet_timewait_sock to be returned from the functions __inet_lookup_established() and __inet6_lookup_established(). This can cause a crash when the returned pointer is of type struct inet_timewait_sock and sock_put() is called on it. The following is a crash call stack that shows sk->sk_wmem_alloc being accessed in sk_free() during the call to sock_put() on a struct inet_timewait_sock pointer. To avoid this issue, use sock_gen_put() instead of sock_put() when sk->sk_state is TCP_TIME_WAIT. mrdump.ko ipanic() + 120 vmlinux notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132 vmlinux atomic_notifier_call_chain(val=0) + 56 vmlinux panic() + 344 vmlinux add_taint() + 164 vmlinux end_report() + 136 vmlinux kasan_report(size=0) + 236 vmlinux report_tag_fault() + 16 vmlinux do_tag_recovery() + 16 vmlinux __do_kernel_fault() + 88 vmlinux do_bad_area() + 28 vmlinux do_tag_check_fault() + 60 vmlinux do_mem_abort() + 80 vmlinux el1_abort() + 56 vmlinux el1h_64_sync_handler() + 124 vmlinux > 0xFFFFFFC080011294() vmlinux __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C) vmlinux __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C) vmlinux arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8 vmlinux sk_free(sk=0xF2FFFF82A8960700) + 28 vmlinux sock_put() + 48 vmlinux tcp6_check_fraglist_gro() + 236 vmlinux tcp6_gro_receive() + 624 vmlinux ipv6_gro_receive() + 912 vmlinux dev_gro_receive() + 1116 vmlinux napi_gro_receive() + 196 ccmni.ko ccmni_rx_callback() + 208 ccmni.ko ccmni_queue_recv_skb() + 388 ccci_dpmaif.ko dpmaif_rxq_push_thread() + 1088 vmlinux kthread() + 268 vmlinux 0xFFFFFFC08001F30C()", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37934", "url": "https://ubuntu.com/security/CVE-2025-37934", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction Actually check if the passed pointers are valid, before writing to them. This also fixes a USBAN warning: UBSAN: invalid-load in ../sound/soc/fsl/imx-card.c:687:25 load of value 255 is not a valid value for type '_Bool' This is because playback_only is uninitialized and is not written to, as the playback-only property is absent.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37911", "url": "https://ubuntu.com/security/CVE-2025-37911", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45): __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] ethtool_get_dump_data+0xdc/0x1a0 __dev_ethtool+0xa1e/0x1af0 dev_ethtool+0xa8/0x170 dev_ioctl+0x1b5/0x580 sock_do_ioctl+0xab/0xf0 sock_ioctl+0x1ce/0x2e0 __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x78/0x80 ... This happens when copying the coredump segment list in bnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command. The info->dest_buf buffer is allocated based on the number of coredump segments returned by the FW. The segment list is then DMA'ed by the FW and the length of the DMA is returned by FW. The driver then copies this DMA'ed segment list to info->dest_buf. In some cases, this DMA length may exceed the info->dest_buf length and cause the above BUG condition. Fix it by capping the copy length to not exceed the length of info->dest_buf. The extra DMA data contains no useful information. This code path is shared for the HWRM_DBG_COREDUMP_LIST and the HWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different for these 2 FW commands. To simplify the logic, we need to move the line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE up, so that the new check to cap the copy length will work for both commands.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37895", "url": "https://ubuntu.com/security/CVE-2025-37895", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix error handling path in bnxt_init_chip() WARN_ON() is triggered in __flush_work() if bnxt_init_chip() fails because we call cancel_work_sync() on dim work that has not been initialized. WARNING: CPU: 37 PID: 5223 at kernel/workqueue.c:4201 __flush_work.isra.0+0x212/0x230 The driver relies on the BNXT_STATE_NAPI_DISABLED bit to check if dim work has already been cancelled. But in the bnxt_open() path, BNXT_STATE_NAPI_DISABLED is not set and this causes the error path to think that it needs to cancel the uninitalized dim work. Fix it by setting BNXT_STATE_NAPI_DISABLED during initialization. The bit will be cleared when we enable NAPI and initialize dim work.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37935", "url": "https://ubuntu.com/security/CVE-2025-37935", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM If the mtk_poll_rx() function detects the MTK_RESETTING flag, it will jump to release_desc and refill the high word of the SDP on the 4GB RFB. Subsequently, mtk_rx_clean will process an incorrect SDP, leading to a panic. Add patch from MediaTek's SDK to resolve this.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37891", "url": "https://ubuntu.com/security/CVE-2025-37891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion The conversion function from MIDI 1.0 to UMP packet contains an internal buffer to keep the incoming MIDI bytes, and its size is 4, as it was supposed to be the max size for a MIDI1 UMP packet data. However, the implementation overlooked that SysEx is handled in a different format, and it can be up to 6 bytes, as found in do_convert_to_ump(). It leads eventually to a buffer overflow, and may corrupt the memory when a longer SysEx message is received. The fix is simply to extend the buffer size to 6 to fit with the SysEx UMP message.", "cve_priority": "medium", "cve_public_date": "2025-05-19 08:15:00 UTC" }, { "cve": "CVE-2025-37912", "url": "https://ubuntu.com/security/CVE-2025-37912", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() As mentioned in the commit baeb705fd6a7 (\"ice: always check VF VSI pointer values\"), we need to perform a null pointer check on the return value of ice_get_vf_vsi() before using it.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37913", "url": "https://ubuntu.com/security/CVE-2025-37913", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37914", "url": "https://ubuntu.com/security/CVE-2025-37914", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of ets, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37915", "url": "https://ubuntu.com/security/CVE-2025-37915", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: drr: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of drr, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before adding to the list to cover for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37916", "url": "https://ubuntu.com/security/CVE-2025-37916", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pds_core: remove write-after-free of client_id A use-after-free error popped up in stress testing: [Mon Apr 21 21:21:33 2025] BUG: KFENCE: use-after-free write in pdsc_auxbus_dev_del+0xef/0x160 [pds_core] [Mon Apr 21 21:21:33 2025] Use-after-free write at 0x000000007013ecd1 (in kfence-#47): [Mon Apr 21 21:21:33 2025] pdsc_auxbus_dev_del+0xef/0x160 [pds_core] [Mon Apr 21 21:21:33 2025] pdsc_remove+0xc0/0x1b0 [pds_core] [Mon Apr 21 21:21:33 2025] pci_device_remove+0x24/0x70 [Mon Apr 21 21:21:33 2025] device_release_driver_internal+0x11f/0x180 [Mon Apr 21 21:21:33 2025] driver_detach+0x45/0x80 [Mon Apr 21 21:21:33 2025] bus_remove_driver+0x83/0xe0 [Mon Apr 21 21:21:33 2025] pci_unregister_driver+0x1a/0x80 The actual device uninit usually happens on a separate thread scheduled after this code runs, but there is no guarantee of order of thread execution, so this could be a problem. There's no actual need to clear the client_id at this point, so simply remove the offending code.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37917", "url": "https://ubuntu.com/security/CVE-2025-37917", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Use spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock and spin_unlock in mtk_star_emac driver to avoid spinlock recursion occurrence that can happen when enabling the DMA interrupts again in rx/tx poll. ``` BUG: spinlock recursion on CPU#0, swapper/0/0 lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0, .owner_cpu: 0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT Hardware name: MediaTek MT8365 Open Platform EVK (DT) Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x60/0x80 dump_stack+0x18/0x24 spin_dump+0x78/0x88 do_raw_spin_lock+0x11c/0x120 _raw_spin_lock+0x20/0x2c mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac] __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x4c/0xb0 handle_fasteoi_irq+0xa0/0x1bc handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x120 do_interrupt_handler+0x50/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 regmap_mmio_read32le+0xc/0x20 (P) _regmap_bus_reg_read+0x6c/0xac _regmap_read+0x60/0xdc regmap_read+0x4c/0x80 mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac] __napi_poll+0x38/0x188 net_rx_action+0x164/0x2c0 handle_softirqs+0x100/0x244 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x20 call_on_irq_stack+0x24/0x64 do_softirq_own_stack+0x1c/0x40 __irq_exit_rcu+0xd4/0x10c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 cpuidle_enter_state+0xac/0x320 (P) cpuidle_enter+0x38/0x50 do_idle+0x1e4/0x260 cpu_startup_entry+0x34/0x3c rest_init+0xdc/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ```", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37918", "url": "https://ubuntu.com/security/CVE-2025-37918", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() A NULL pointer dereference can occur in skb_dequeue() when processing a QCA firmware crash dump on WCN7851 (0489:e0f3). [ 93.672166] Bluetooth: hci0: ACL memdump size(589824) [ 93.672475] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 93.672517] Workqueue: hci0 hci_devcd_rx [bluetooth] [ 93.672598] RIP: 0010:skb_dequeue+0x50/0x80 The issue stems from handle_dump_pkt_qca() returning 0 even when a dump packet is successfully processed. This is because it incorrectly forwards the return value of hci_devcd_init() (which returns 0 on success). As a result, the caller (btusb_recv_acl_qca() or btusb_recv_evt_qca()) assumes the packet was not handled and passes it to hci_recv_frame(), leading to premature kfree() of the skb. Later, hci_devcd_rx() attempts to dequeue the same skb from the dump queue, resulting in a NULL pointer dereference. Fix this by: 1. Making handle_dump_pkt_qca() return 0 on success and negative errno on failure, consistent with kernel conventions. 2. Splitting dump packet detection into separate functions for ACL and event packets for better structure and readability. This ensures dump packets are properly identified and consumed, avoiding double handling and preventing NULL pointer access.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37919", "url": "https://ubuntu.com/security/CVE-2025-37919", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Update chip data using dev_get_drvdata(dev->parent) to fix NULL pointer deref in acp_i2s_set_tdm_slot.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37896", "url": "https://ubuntu.com/security/CVE-2025-37896", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: spi-mem: Add fix to avoid divide error For some SPI flash memory operations, dummy bytes are not mandatory. For example, in Winbond SPINAND flash memory devices, the `write_cache` and `update_cache` operation variants have zero dummy bytes. Calculating the duration for SPI memory operations with zero dummy bytes causes a divide error when `ncycles` is calculated in the spi_mem_calc_op_duration(). Add changes to skip the 'ncylcles' calculation for zero dummy bytes. Following divide error is fixed by this change: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI ... ? do_trap+0xdb/0x100 ? do_error_trap+0x75/0xb0 ? spi_mem_calc_op_duration+0x56/0xb0 ? exc_divide_error+0x3b/0x70 ? spi_mem_calc_op_duration+0x56/0xb0 ? asm_exc_divide_error+0x1b/0x20 ? spi_mem_calc_op_duration+0x56/0xb0 ? spinand_select_op_variant+0xee/0x190 [spinand] spinand_match_and_init+0x13e/0x1a0 [spinand] spinand_manufacturer_match+0x6e/0xa0 [spinand] spinand_probe+0x357/0x7f0 [spinand] ? kernfs_activate+0x87/0xd0 spi_mem_probe+0x7a/0xb0 spi_probe+0x7d/0x130", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37920", "url": "https://ubuntu.com/security/CVE-2025-37920", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xsk: Fix race condition in AF_XDP generic RX path Move rx_lock from xsk_socket to xsk_buff_pool. Fix synchronization for shared umem mode in generic RX path where multiple sockets share single xsk_buff_pool. RX queue is exclusive to xsk_socket, while FILL queue can be shared between multiple sockets. This could result in race condition where two CPU cores access RX path of two different sockets sharing the same umem. Protect both queues by acquiring spinlock in shared xsk_buff_pool. Lock contention may be minimized in the future by some per-thread FQ buffering. It's safe and necessary to move spin_lock_bh(rx_lock) after xsk_rcv_check(): * xs->pool and spinlock_init is synchronized by xsk_bind() -> xsk_is_bound() memory barriers. * xsk_rcv_check() may return true at the moment of xsk_release() or xsk_unbind_dev(), however this will not cause any data races or race conditions. xsk_unbind_dev() removes xdp socket from all maps and waits for completion of all outstanding rx operations. Packets in RX path will either complete safely or drop.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37921", "url": "https://ubuntu.com/security/CVE-2025-37921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1] being generated by the lockdep annotation that was added by commit ebe642067455 (\"vxlan: Create wrappers for FDB lookup\"). Reproducer: # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1 # bridge vni add vni 10010 remote 198.51.100.1 dev vx0 # bridge vni del vni 10010 dev vx0 Fix by acquiring the hash lock before the deletion and releasing it afterwards. Blame the original commit that introduced the issue rather than the one that exposed it. [1] WARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0 [...] RIP: 0010:vxlan_find_mac+0x17f/0x1a0 [...] Call Trace: __vxlan_fdb_delete+0xbe/0x560 vxlan_vni_delete_group+0x2ba/0x940 vxlan_vni_del.isra.0+0x15f/0x580 vxlan_process_vni_filter+0x38b/0x7b0 vxlan_vnifilter_process+0x3bb/0x510 rtnetlink_rcv_msg+0x2f7/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37897", "url": "https://ubuntu.com/security/CVE-2025-37897", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release plfxlc_mac_release() asserts that mac->lock is held. This assertion is incorrect, because even if it was possible, it would not be the valid behaviour. The function is used when probe fails or after the device is disconnected. In both cases mac->lock can not be held as the driver is not working with the device at the moment. All functions that use mac->lock unlock it just after it was held. There is also no need to hold mac->lock for plfxlc_mac_release() itself, as mac data is not affected, except for mac->flags, which is modified atomically. This bug leads to the following warning: ================================================================ WARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0 Modules linked in: CPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: usb_hub_wq hub_event RIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106 Call Trace: probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694 usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785 driver_probe_device+0x50/0x420 drivers/base/dd.c:815 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429 __device_attach+0x359/0x570 drivers/base/dd.c:1015 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489 device_add+0xb48/0xfd0 drivers/base/core.c:3696 usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165 usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238 usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785 driver_probe_device+0x50/0x420 drivers/base/dd.c:815 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429 __device_attach+0x359/0x570 drivers/base/dd.c:1015 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489 device_add+0xb48/0xfd0 drivers/base/core.c:3696 usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620 hub_port_connect drivers/usb/core/hub.c:5477 [inline] hub_port_connect_change drivers/usb/core/hub.c:5617 [inline] port_event drivers/usb/core/hub.c:5773 [inline] hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ================================================================ Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37898", "url": "https://ubuntu.com/security/CVE-2025-37898", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc64/ftrace: fix module loading without patchable function entries get_stubs_size assumes that there must always be at least one patchable function entry, which is not always the case (modules that export data but no code), otherwise it returns -ENOEXEC and thus the section header sh_size is set to that value. During module_memory_alloc() the size is passed to execmem_alloc() after being page-aligned and thus set to zero which will cause it to fail the allocation (and thus module loading) as __vmalloc_node_range() checks for zero-sized allocs and returns null: [ 115.466896] module_64: cast_common: doesn't contain __patchable_function_entries. [ 115.469189] ------------[ cut here ]------------ [ 115.469496] WARNING: CPU: 0 PID: 274 at mm/vmalloc.c:3778 __vmalloc_node_range_noprof+0x8b4/0x8f0 ... [ 115.478574] ---[ end trace 0000000000000000 ]--- [ 115.479545] execmem: unable to allocate memory Fix this by removing the check completely, since it is anyway not helpful to propagate this as an error upwards.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37922", "url": "https://ubuntu.com/security/CVE-2025-37922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: book3s64/radix : Align section vmemmap start address to PAGE_SIZE A vmemmap altmap is a device-provided region used to provide backing storage for struct pages. For each namespace, the altmap should belong to that same namespace. If the namespaces are created unaligned, there is a chance that the section vmemmap start address could also be unaligned. If the section vmemmap start address is unaligned, the altmap page allocated from the current namespace might be used by the previous namespace also. During the free operation, since the altmap is shared between two namespaces, the previous namespace may detect that the page does not belong to its altmap and incorrectly assume that the page is a normal page. It then attempts to free the normal page, which leads to a kernel crash. Kernel attempted to read user page (18) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000018 Faulting instruction address: 0xc000000000530c7c Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries CPU: 32 PID: 2104 Comm: ndctl Kdump: loaded Tainted: G W NIP: c000000000530c7c LR: c000000000530e00 CTR: 0000000000007ffe REGS: c000000015e57040 TRAP: 0300 Tainted: G W MSR: 800000000280b033 CR: 84482404 CFAR: c000000000530dfc DAR: 0000000000000018 DSISR: 40000000 IRQMASK: 0 GPR00: c000000000530e00 c000000015e572e0 c000000002c5cb00 c00c000101008040 GPR04: 0000000000000000 0000000000000007 0000000000000001 000000000000001f GPR08: 0000000000000005 0000000000000000 0000000000000018 0000000000002000 GPR12: c0000000001d2fb0 c0000060de6b0080 0000000000000000 c0000060dbf90020 GPR16: c00c000101008000 0000000000000001 0000000000000000 c000000125b20f00 GPR20: 0000000000000001 0000000000000000 ffffffffffffffff c00c000101007fff GPR24: 0000000000000001 0000000000000000 0000000000000000 0000000000000000 GPR28: 0000000004040201 0000000000000001 0000000000000000 c00c000101008040 NIP [c000000000530c7c] get_pfnblock_flags_mask+0x7c/0xd0 LR [c000000000530e00] free_unref_page_prepare+0x130/0x4f0 Call Trace: free_unref_page+0x50/0x1e0 free_reserved_page+0x40/0x68 free_vmemmap_pages+0x98/0xe0 remove_pte_table+0x164/0x1e8 remove_pmd_table+0x204/0x2c8 remove_pud_table+0x1c4/0x288 remove_pagetable+0x1c8/0x310 vmemmap_free+0x24/0x50 section_deactivate+0x28c/0x2a0 __remove_pages+0x84/0x110 arch_remove_memory+0x38/0x60 memunmap_pages+0x18c/0x3d0 devm_action_release+0x30/0x50 release_nodes+0x68/0x140 devres_release_group+0x100/0x190 dax_pmem_compat_release+0x44/0x80 [dax_pmem_compat] device_for_each_child+0x8c/0x100 [dax_pmem_compat_remove+0x2c/0x50 [dax_pmem_compat] nvdimm_bus_remove+0x78/0x140 [libnvdimm] device_remove+0x70/0xd0 Another issue is that if there is no altmap, a PMD-sized vmemmap page will be allocated from RAM, regardless of the alignment of the section start address. If the section start address is not aligned to the PMD size, a VM_BUG_ON will be triggered when setting the PMD-sized page to page table. In this patch, we are aligning the section vmemmap start address to PAGE_SIZE. After alignment, the start address will not be part of the current namespace, and a normal page will be allocated for the vmemmap mapping of the current section. For the remaining sections, altmaps will be allocated. During the free operation, the normal page will be correctly freed. In the same way, a PMD_SIZE vmemmap page will be allocated only if the section start address is PMD_SIZE-aligned; otherwise, it will fall back to a PAGE-sized vmemmap allocation. Without this patch ================== NS1 start NS2 start _________________________________________________________ | NS1 | NS2 | --------------------------------------------------------- | Altmap| Altmap | .....|Altmap| Altmap | ........... | NS1 | NS1 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37923", "url": "https://ubuntu.com/security/CVE-2025-37923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106 trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 .... ================================================================== It has been reported that trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Therefore, to prevent this, we should use the smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37899", "url": "https://ubuntu.com/security/CVE-2025-37899", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37924", "url": "https://ubuntu.com/security/CVE-2025-37924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authentication Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37926", "url": "https://ubuntu.com/security/CVE-2025-37926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_session_rpc_open A UAF issue can occur due to a race condition between ksmbd_session_rpc_open() and __session_rpc_close(). Add rpc_lock to the session to protect it.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37900", "url": "https://ubuntu.com/security/CVE-2025-37900", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu: Fix two issues in iommu_copy_struct_from_user() In the review for iommu_copy_struct_to_user() helper, Matt pointed out that a NULL pointer should be rejected prior to dereferencing it: https://lore.kernel.org/all/86881827-8E2D-461C-BDA3-FA8FD14C343C@nvidia.com And Alok pointed out a typo at the same time: https://lore.kernel.org/all/480536af-6830-43ce-a327-adbd13dc3f1d@oracle.com Since both issues were copied from iommu_copy_struct_from_user(), fix them first in the current header.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37927", "url": "https://ubuntu.com/security/CVE-2025-37927", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the check is insufficient in some cases. For example if the length of hid string is 4 and the length of the uid string is 260, the length of str will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer which size is 256. The same applies to the hid string with length 13 and uid string with length 250. Check the length of hid and uid strings separately to prevent buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37928", "url": "https://ubuntu.com/security/CVE-2025-37928", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm-bufio: don't schedule in atomic context A BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet are enabled. [ 129.444685][ T934] BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2421 [ 129.444723][ T934] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 934, name: kworker/1:4 [ 129.444740][ T934] preempt_count: 201, expected: 0 [ 129.444756][ T934] RCU nest depth: 0, expected: 0 [ 129.444781][ T934] Preemption disabled at: [ 129.444789][ T934] [] shrink_work+0x21c/0x248 [ 129.445167][ T934] kernel BUG at kernel/sched/walt/walt_debug.c:16! [ 129.445183][ T934] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 129.445204][ T934] Skip md ftrace buffer dump for: 0x1609e0 [ 129.447348][ T934] CPU: 1 PID: 934 Comm: kworker/1:4 Tainted: G W OE 6.6.56-android15-8-o-g6f82312b30b9-debug #1 1400000003000000474e5500b3187743670464e8 [ 129.447362][ T934] Hardware name: Qualcomm Technologies, Inc. Parrot QRD, Alpha-M (DT) [ 129.447373][ T934] Workqueue: dm_bufio_cache shrink_work [ 129.447394][ T934] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 129.447406][ T934] pc : android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug] [ 129.447435][ T934] lr : __traceiter_android_rvh_schedule_bug+0x44/0x6c [ 129.447451][ T934] sp : ffffffc0843dbc90 [ 129.447459][ T934] x29: ffffffc0843dbc90 x28: ffffffffffffffff x27: 0000000000000c8b [ 129.447479][ T934] x26: 0000000000000040 x25: ffffff804b3d6260 x24: ffffffd816232b68 [ 129.447497][ T934] x23: ffffff805171c5b4 x22: 0000000000000000 x21: ffffffd816231900 [ 129.447517][ T934] x20: ffffff80306ba898 x19: 0000000000000000 x18: ffffffc084159030 [ 129.447535][ T934] x17: 00000000d2b5dd1f x16: 00000000d2b5dd1f x15: ffffffd816720358 [ 129.447554][ T934] x14: 0000000000000004 x13: ffffff89ef978000 x12: 0000000000000003 [ 129.447572][ T934] x11: ffffffd817a823c4 x10: 0000000000000202 x9 : 7e779c5735de9400 [ 129.447591][ T934] x8 : ffffffd81560d004 x7 : 205b5d3938373434 x6 : ffffffd8167397c8 [ 129.447610][ T934] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffffffc0843db9e0 [ 129.447629][ T934] x2 : 0000000000002f15 x1 : 0000000000000000 x0 : 0000000000000000 [ 129.447647][ T934] Call trace: [ 129.447655][ T934] android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug 1400000003000000474e550080cce8a8a78606b6] [ 129.447681][ T934] __might_resched+0x190/0x1a8 [ 129.447694][ T934] shrink_work+0x180/0x248 [ 129.447706][ T934] process_one_work+0x260/0x624 [ 129.447718][ T934] worker_thread+0x28c/0x454 [ 129.447729][ T934] kthread+0x118/0x158 [ 129.447742][ T934] ret_from_fork+0x10/0x20 [ 129.447761][ T934] Code: ???????? ???????? ???????? d2b5dd1f (d4210000) [ 129.447772][ T934] ---[ end trace 0000000000000000 ]--- dm_bufio_lock will call spin_lock_bh when try_verify_in_tasklet is enabled, and __scan will be called in atomic context.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37990", "url": "https://ubuntu.com/security/CVE-2025-37990", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() The function brcmf_usb_dl_writeimage() calls the function brcmf_usb_dl_cmd() but dose not check its return value. The 'state.state' and the 'state.bytes' are uninitialized if the function brcmf_usb_dl_cmd() fails. It is dangerous to use uninitialized variables in the conditions. Add error handling for brcmf_usb_dl_cmd() to jump to error handling path if the brcmf_usb_dl_cmd() fails and the 'state.state' and the 'state.bytes' are uninitialized. Improve the error message to report more detailed error information.", "cve_priority": "medium", "cve_public_date": "2025-05-20 18:15:00 UTC" }, { "cve": "CVE-2025-37901", "url": "https://ubuntu.com/security/CVE-2025-37901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs On Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not have a corresponding MPM pin and should not be handled inside the MPM driver. The IRQ domain hierarchy is always applied, so it's required to explicitly disconnect the hierarchy for those. The pinctrl-msm driver marks these with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but irq-qcom-mpm is currently missing the check. This is causing crashes when setting up interrupts for non-wake GPIOs: root@rb1:~# gpiomon -c gpiochip1 10 irq: IRQ159: trimming hierarchy from :soc@0:interrupt-controller@f200000-1 Unable to handle kernel paging request at virtual address ffff8000a1dc3820 Hardware name: Qualcomm Technologies, Inc. Robotics RB1 (DT) pc : mpm_set_type+0x80/0xcc lr : mpm_set_type+0x5c/0xcc Call trace: mpm_set_type+0x80/0xcc (P) qcom_mpm_set_type+0x64/0x158 irq_chip_set_type_parent+0x20/0x38 msm_gpio_irq_set_type+0x50/0x530 __irq_set_trigger+0x60/0x184 __setup_irq+0x304/0x6bc request_threaded_irq+0xc8/0x19c edge_detector_setup+0x260/0x364 linereq_create+0x420/0x5a8 gpio_ioctl+0x2d4/0x6c0 Fix this by copying the check for GPIO_NO_WAKE_IRQ from qcom-pdc.c, so that MPM is removed entirely from the hierarchy for non-wake GPIOs.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37936", "url": "https://ubuntu.com/security/CVE-2025-37936", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. When generating the MSR_IA32_PEBS_ENABLE value that will be loaded on VM-Entry to a KVM guest, mask the value with the vCPU's desired PEBS_ENABLE value. Consulting only the host kernel's host vs. guest masks results in running the guest with PEBS enabled even when the guest doesn't want to use PEBS. Because KVM uses perf events to proxy the guest virtual PMU, simply looking at exclude_host can't differentiate between events created by host userspace, and events created by KVM on behalf of the guest. Running the guest with PEBS unexpectedly enabled typically manifests as crashes due to a near-infinite stream of #PFs. E.g. if the guest hasn't written MSR_IA32_DS_AREA, the CPU will hit page faults on address '0' when trying to record PEBS events. The issue is most easily reproduced by running `perf kvm top` from before commit 7b100989b4f6 (\"perf evlist: Remove __evlist__add_default\") (after which, `perf kvm top` effectively stopped using PEBS).\tThe userspace side of perf creates a guest-only PEBS event, which intel_guest_get_msrs() misconstrues a guest-*owned* PEBS event. Arguably, this is a userspace bug, as enabling PEBS on guest-only events simply cannot work, and userspace can kill VMs in many other ways (there is no danger to the host). However, even if this is considered to be bad userspace behavior, there's zero downside to perf/KVM restricting PEBS to guest-owned events. Note, commit 854250329c02 (\"KVM: x86/pmu: Disable guest PEBS temporarily in two rare situations\") fixed the case where host userspace is profiling KVM *and* userspace, but missed the case where userspace is profiling only KVM.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37991", "url": "https://ubuntu.com/security/CVE-2025-37991", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately. When the T bit is set, an assist exception trap occurs when when the co-processor encounters *any* floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let's fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace. The issue can be reproduced with this test program: root@parisc:~# cat fpe.c static void fpe_func(int sig, siginfo_t *i, void *v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf(\"GOT signal %d with si_code %ld\\n\", sig, i->si_code); } int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf(\"%lf\\n\",1.7976931348623158E308*1.7976931348623158E308); } root@parisc:~# gcc fpe.c -lm root@parisc:~# ./a.out Floating point exception root@parisc:~# strace -f ./a.out execve(\"./a.out\", [\"./a.out\"], 0xf9ac7034 /* 20 vars */) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 ... rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- +++ killed by SIGFPE +++ Floating point exception", "cve_priority": "medium", "cve_public_date": "2025-05-20 18:15:00 UTC" }, { "cve": "CVE-2025-37929", "url": "https://ubuntu.com/security/CVE-2025-37929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Commit a5951389e58d (\"arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists\") added some additional CPUs to the Spectre-BHB workaround, including some new arrays for designs that require new 'k' values for the workaround to be effective. Unfortunately, the new arrays omitted the sentinel entry and so is_midr_in_range_list() will walk off the end when it doesn't find a match. With UBSAN enabled, this leads to a crash during boot when is_midr_in_range_list() is inlined (which was more common prior to c8c2647e69be (\"arm64: Make  _midr_in_range_list() an exported function\")): | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : spectre_bhb_loop_affected+0x28/0x30 | lr : is_spectre_bhb_affected+0x170/0x190 | [...] | Call trace: | spectre_bhb_loop_affected+0x28/0x30 | update_cpu_capabilities+0xc0/0x184 | init_cpu_features+0x188/0x1a4 | cpuinfo_store_boot_cpu+0x4c/0x60 | smp_prepare_boot_cpu+0x38/0x54 | start_kernel+0x8c/0x478 | __primary_switched+0xc8/0xd4 | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020) | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: aarch64 BRK: Fatal exception Add the missing sentinel entries.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37930", "url": "https://ubuntu.com/security/CVE-2025-37930", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Nouveau is mostly designed in a way that it's expected that fences only ever get signaled through nouveau_fence_signal(). However, in at least one other place, nouveau_fence_done(), can signal fences, too. If that happens (race) a signaled fence remains in the pending list for a while, until it gets removed by nouveau_fence_update(). Should nouveau_fence_context_kill() run in the meantime, this would be a bug because the function would attempt to set an error code on an already signaled fence. Have nouveau_fence_context_kill() check for a fence being signaled.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37931", "url": "https://ubuntu.com/security/CVE-2025-37931", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do \tbit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation \tstart = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as \t0 + 1 * fs_info->sectorsize = 4096 \t4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37798", "url": "https://ubuntu.com/security/CVE-2025-37798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue().", "cve_priority": "medium", "cve_public_date": "2025-05-02 15:15:00 UTC" }, { "cve": "CVE-2025-37997", "url": "https://ubuntu.com/security/CVE-2025-37997", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37890", "url": "https://ubuntu.com/security/CVE-2025-37890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-16 13:15:00 UTC" }, { "cve": "CVE-2025-37799", "url": "https://ubuntu.com/security/CVE-2025-37799", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for *some* of the packets (e.g. HTTP GET request) while others (e.g. the prior TCP 3WHS) looked completely fine on the wire. In fact, the pcap recording on the backend node actually revealed that the node with the XDP LB was leaking uninitialized kernel data onto the wire for the affected packets, for example, while the packets should have been 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes was padded with whatever other data was in that page at the time (e.g. we saw user/payload data from prior processed packets). We only noticed this through an MTU issue, e.g. when the XDP LB node and the backend node both had the same MTU (e.g. 1500) then the curl request got dropped on the backend node's NIC given the packet was too large even though the IPIP-encapped packet normally would never even come close to the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let the curl request succeed (which also indicates that the kernel ignored the padding, and thus the issue wasn't very user-visible). Commit e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") was too eager to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs to stick to rcd->len which is the actual packet length from the descriptor. The latter we also feed into vmxnet3_process_xdp_small(), by the way, and it indicates the correct length needed to initialize the xdp->{data,data_end} parts. For e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") the relevant part was adapting xdp_init_buff() to address the warning given the xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on the wire looks good again.", "cve_priority": "medium", "cve_public_date": "2025-05-03 12:15:00 UTC" }, { "cve": "CVE-2025-37800", "url": "https://ubuntu.com/security/CVE-2025-37800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads \"uevent\" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching the pointer, and take bus' drivers klist lock to make sure driver instance will not disappear while we access it. Use WRITE_ONCE() when setting the driver pointer to ensure there is no tearing.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37801", "url": "https://ubuntu.com/security/CVE-2025-37801", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: spi-imx: Add check for spi_imx_setupxfer() Add check for the return value of spi_imx_setupxfer(). spi_imx->rx and spi_imx->tx function pointer can be NULL when spi_imx_setupxfer() return error, and make NULL pointer dereference. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: 0x0 spi_imx_pio_transfer+0x50/0xd8 spi_imx_transfer_one+0x18c/0x858 spi_transfer_one_message+0x43c/0x790 __spi_pump_transfer_message+0x238/0x5d4 __spi_sync+0x2b0/0x454 spi_write_then_read+0x11c/0x200", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37802", "url": "https://ubuntu.com/security/CVE-2025-37802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix WARNING \"do not call blocking ops when !TASK_RUNNING\" wait_event_timeout() will set the state of the current task to TASK_UNINTERRUPTIBLE, before doing the condition check. This means that ksmbd_durable_scavenger_alive() will try to acquire the mutex while already in a sleeping state. The scheduler warns us by giving the following warning: do not call blocking ops when !TASK_RUNNING; state=2 set at [<0000000061515a6f>] prepare_to_wait_event+0x9f/0x6c0 WARNING: CPU: 2 PID: 4147 at kernel/sched/core.c:10099 __might_sleep+0x12f/0x160 mutex lock is not needed in ksmbd_durable_scavenger_alive().", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37876", "url": "https://ubuntu.com/security/CVE-2025-37876", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS When testing a special config: CONFIG_NETFS_SUPPORTS=y CONFIG_PROC_FS=n The system crashes with something like: [ 3.766197] ------------[ cut here ]------------ [ 3.766484] kernel BUG at mm/mempool.c:560! [ 3.766789] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 3.767123] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W [ 3.767777] Tainted: [W]=WARN [ 3.767968] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), [ 3.768523] RIP: 0010:mempool_alloc_slab.cold+0x17/0x19 [ 3.768847] Code: 50 fe ff 58 5b 5d 41 5c 41 5d 41 5e 41 5f e9 93 95 13 00 [ 3.769977] RSP: 0018:ffffc90000013998 EFLAGS: 00010286 [ 3.770315] RAX: 000000000000002f RBX: ffff888100ba8640 RCX: 0000000000000000 [ 3.770749] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 00000000ffffffff [ 3.771217] RBP: 0000000000092880 R08: 0000000000000000 R09: ffffc90000013828 [ 3.771664] R10: 0000000000000001 R11: 00000000ffffffea R12: 0000000000092cc0 [ 3.772117] R13: 0000000000000400 R14: ffff8881004b1620 R15: ffffea0004ef7e40 [ 3.772554] FS: 0000000000000000(0000) GS:ffff8881b5f3c000(0000) knlGS:0000000000000000 [ 3.773061] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.773443] CR2: ffffffff830901b4 CR3: 0000000004296001 CR4: 0000000000770ef0 [ 3.773884] PKRU: 55555554 [ 3.774058] Call Trace: [ 3.774232] [ 3.774371] mempool_alloc_noprof+0x6a/0x190 [ 3.774649] ? _printk+0x57/0x80 [ 3.774862] netfs_alloc_request+0x85/0x2ce [ 3.775147] netfs_readahead+0x28/0x170 [ 3.775395] read_pages+0x6c/0x350 [ 3.775623] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.775928] page_cache_ra_unbounded+0x1bd/0x2a0 [ 3.776247] filemap_get_pages+0x139/0x970 [ 3.776510] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.776820] filemap_read+0xf9/0x580 [ 3.777054] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.777368] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.777674] ? find_held_lock+0x32/0x90 [ 3.777929] ? netfs_start_io_read+0x19/0x70 [ 3.778221] ? netfs_start_io_read+0x19/0x70 [ 3.778489] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.778800] ? lock_acquired+0x1e6/0x450 [ 3.779054] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.779379] netfs_buffered_read_iter+0x57/0x80 [ 3.779670] __kernel_read+0x158/0x2c0 [ 3.779927] bprm_execve+0x300/0x7a0 [ 3.780185] kernel_execve+0x10c/0x140 [ 3.780423] ? __pfx_kernel_init+0x10/0x10 [ 3.780690] kernel_init+0xd5/0x150 [ 3.780910] ret_from_fork+0x2d/0x50 [ 3.781156] ? __pfx_kernel_init+0x10/0x10 [ 3.781414] ret_from_fork_asm+0x1a/0x30 [ 3.781677] [ 3.781823] Modules linked in: [ 3.782065] ---[ end trace 0000000000000000 ]--- This is caused by the following error path in netfs_init(): if (!proc_mkdir(\"fs/netfs\", NULL)) goto error_proc; Fix this by adding ifdef in netfs_main(), so that /proc/fs/netfs is only created with CONFIG_PROC_FS.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37877", "url": "https://ubuntu.com/security/CVE-2025-37877", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu: Clear iommu-dma ops on cleanup If iommu_device_register() encounters an error, it can end up tearing down already-configured groups and default domains, however this currently still leaves devices hooked up to iommu-dma (and even historically the behaviour in this area was at best inconsistent across architectures/drivers...) Although in the case that an IOMMU is present whose driver has failed to probe, users cannot necessarily expect DMA to work anyway, it's still arguable that we should do our best to put things back as if the IOMMU driver was never there at all, and certainly the potential for crashing in iommu-dma itself is undesirable. Make sure we clean up the dev->dma_iommu flag along with everything else.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37878", "url": "https://ubuntu.com/security/CVE-2025-37878", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init Move the get_ctx(child_ctx) call and the child_event->ctx assignment to occur immediately after the child event is allocated. Ensure that child_event->ctx is non-NULL before any subsequent error path within inherit_event calls free_event(), satisfying the assumptions of the cleanup code. Details: There's no clear Fixes tag, because this bug is a side-effect of multiple interacting commits over time (up to 15 years old), not a single regression. The code initially incremented refcount then assigned context immediately after the child_event was created. Later, an early validity check for child_event was added before the refcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was added, assuming event->ctx is valid if the pmu_ctx is valid. The problem is that the WARN_ON_ONCE() could trigger after the initial check passed but before child_event->ctx was assigned, violating its precondition. The solution is to assign child_event->ctx right after its initial validation. This ensures the context exists for any subsequent checks or cleanup routines, resolving the WARN_ON_ONCE(). To resolve it, defer the refcount update and child_event->ctx assignment directly after child_event->pmu_ctx is set but before checking if the parent event is orphaned. The cleanup routine depends on event->pmu_ctx being non-NULL before it verifies event->ctx is non-NULL. This also maintains the author's original intent of passing in child_ctx to find_get_pmu_context before its refcount/assignment. [ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37803", "url": "https://ubuntu.com/security/CVE-2025-37803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udmabuf: fix a buf size overflow issue during udmabuf creation by casting size_limit_mb to u64 when calculate pglimit.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37804", "url": "https://ubuntu.com/security/CVE-2025-37804", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "negligible", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37879", "url": "https://ubuntu.com/security/CVE-2025-37879", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix improper handling of bogus negative read/write replies In p9_client_write() and p9_client_read_once(), if the server incorrectly replies with success but a negative write/read count then we would consider written (negative) <= rsize (positive) because both variables were signed. Make variables unsigned to avoid this problem. The reproducer linked below now fails with the following error instead of a null pointer deref: 9pnet: bogus RWRITE count (4294967295 > 3)", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37880", "url": "https://ubuntu.com/security/CVE-2025-37880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: work around sched_yield not yielding in time-travel mode sched_yield by a userspace may not actually cause scheduling in time-travel mode as no time has passed. In the case seen it appears to be a badly implemented userspace spinlock in ASAN. Unfortunately, with time-travel it causes an extreme slowdown or even deadlock depending on the kernel configuration (CONFIG_UML_MAX_USERSPACE_ITERATIONS). Work around it by accounting time to the process whenever it executes a sched_yield syscall.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37881", "url": "https://ubuntu.com/security/CVE-2025-37881", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() The variable d->name, returned by devm_kasprintf(), could be NULL. A pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 (\"ice: Fix some null pointer dereference issues in ice_ptp.c\"). This issue is found by our static analysis tool", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37882", "url": "https://ubuntu.com/security/CVE-2025-37882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix isochronous Ring Underrun/Overrun event handling The TRB pointer of these events points at enqueue at the time of error occurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we are handling the event, a new TD may be queued at this ring position. I can trigger this race by rising interrupt moderation to increase IRQ handling delay. Similar delay may occur naturally due to system load. If this ever happens after a Missed Service Error, missed TDs will be skipped and the new TD processed as if it matched the event. It could be given back prematurely, risking data loss or buffer UAF by the xHC. Don't complete TDs on xrun events and don't warn if queued TDs don't match the event's TRB pointer, which can be NULL or a link/no-op TRB. Don't warn if there are no queued TDs at all. Now that it's safe, also handle xrun events if the skip flag is clear. This ensures completion of any TD stuck in 'error mid TD' state right before the xrun event, which could happen if a driver submits a finite number of URBs to a buggy HC and then an error occurs on the last TD.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37805", "url": "https://ubuntu.com/security/CVE-2025-37805", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sound/virtio: Fix cancel_sync warnings on uninitialized work_structs Betty reported hitting the following warning: [ 8.709131][ T221] WARNING: CPU: 2 PID: 221 at kernel/workqueue.c:4182 ... [ 8.713282][ T221] Call trace: [ 8.713365][ T221] __flush_work+0x8d0/0x914 [ 8.713468][ T221] __cancel_work_sync+0xac/0xfc [ 8.713570][ T221] cancel_work_sync+0x24/0x34 [ 8.713667][ T221] virtsnd_remove+0xa8/0xf8 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] [ 8.713868][ T221] virtsnd_probe+0x48c/0x664 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] [ 8.714035][ T221] virtio_dev_probe+0x28c/0x390 [ 8.714139][ T221] really_probe+0x1bc/0x4c8 ... It seems we're hitting the error path in virtsnd_probe(), which triggers a virtsnd_remove() which iterates over the substreams calling cancel_work_sync() on the elapsed_period work_struct. Looking at the code, from earlier in: virtsnd_probe()->virtsnd_build_devs()->virtsnd_pcm_parse_cfg() We set snd->nsubstreams, allocate the snd->substreams, and if we then hit an error on the info allocation or something in virtsnd_ctl_query_info() fails, we will exit without having initialized the elapsed_period work_struct. When that error path unwinds we then call virtsnd_remove() which as long as the substreams array is allocated, will iterate through calling cancel_work_sync() on the uninitialized work struct hitting this warning. Takashi Iwai suggested this fix, which initializes the substreams structure right after allocation, so that if we hit the error paths we avoid trying to cleanup uninitialized data. Note: I have not yet managed to reproduce the issue myself, so this patch has had limited testing. Feedback or thoughts would be appreciated!", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37806", "url": "https://ubuntu.com/security/CVE-2025-37806", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Keep write operations atomic syzbot reported a NULL pointer dereference in __generic_file_write_iter. [1] Before the write operation is completed, the user executes ioctl[2] to clear the compress flag of the file, which causes the is_compressed() judgment to return 0, further causing the program to enter the wrong process and call the wrong ops ntfs_aops_cmpr, which triggers the null pointer dereference of write_begin. Use inode lock to synchronize ioctl and write to avoid this case. [1] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=000000011896d000 [0000000000000000] pgd=0800000118b44403, p4d=0800000118b44403, pud=0800000117517403, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 6427 Comm: syz-executor347 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : generic_perform_write+0x29c/0x868 mm/filemap.c:4055 sp : ffff80009d4978a0 x29: ffff80009d4979c0 x28: dfff800000000000 x27: ffff80009d497bc8 x26: 0000000000000000 x25: ffff80009d497960 x24: ffff80008ba71c68 x23: 0000000000000000 x22: ffff0000c655dac0 x21: 0000000000001000 x20: 000000000000000c x19: 1ffff00013a92f2c x18: ffff0000e183aa1c x17: 0004060000000014 x16: ffff800083275834 x15: 0000000000000001 x14: 0000000000000000 x13: 0000000000000001 x12: ffff0000c655dac0 x11: 0000000000ff0100 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff80009d497980 x4 : ffff80009d497960 x3 : 0000000000001000 x2 : 0000000000000000 x1 : ffff0000e183a928 x0 : ffff0000d60b0fc0 Call trace: 0x0 (P) __generic_file_write_iter+0xfc/0x204 mm/filemap.c:4156 ntfs_file_write_iter+0x54c/0x630 fs/ntfs3/file.c:1267 new_sync_write fs/read_write.c:586 [inline] vfs_write+0x920/0xcf4 fs/read_write.c:679 ksys_write+0x15c/0x26c fs/read_write.c:731 __do_sys_write fs/read_write.c:742 [inline] __se_sys_write fs/read_write.c:739 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 [2] ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f00000000c0)=0x20)", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37883", "url": "https://ubuntu.com/security/CVE-2025-37883", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Add check for get_zeroed_page() Add check for the return value of get_zeroed_page() in sclp_console_init() to prevent null pointer dereference. Furthermore, to solve the memory leak caused by the loop allocation, add a free helper to do the free job.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37884", "url": "https://ubuntu.com/security/CVE-2025-37884", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Fix the following deadlock: CPU A _free_event() perf_kprobe_destroy() mutex_lock(&event_mutex) perf_trace_event_unreg() synchronize_rcu_tasks_trace() There are several paths where _free_event() grabs event_mutex and calls sync_rcu_tasks_trace. Above is one such case. CPU B bpf_prog_test_run_syscall() rcu_read_lock_trace() bpf_prog_run_pin_on_cpu() bpf_prog_load() bpf_tracing_func_proto() trace_set_clr_event() mutex_lock(&event_mutex) Delegate trace_set_clr_event() to workqueue to avoid such lock dependency.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37807", "url": "https://ubuntu.com/security/CVE-2025-37807", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kmemleak warning for percpu hashmap Vlad Poenaru reported the following kmemleak issue: unreferenced object 0x606fd7c44ac8 (size 32): backtrace (crc 0): pcpu_alloc_noprof+0x730/0xeb0 bpf_map_alloc_percpu+0x69/0xc0 prealloc_init+0x9d/0x1b0 htab_map_alloc+0x363/0x510 map_create+0x215/0x3a0 __sys_bpf+0x16b/0x3e0 __x64_sys_bpf+0x18/0x20 do_syscall_64+0x7b/0x150 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Further investigation shows the reason is due to not 8-byte aligned store of percpu pointer in htab_elem_set_ptr(): *(void __percpu **)(l->key + key_size) = pptr; Note that the whole htab_elem alignment is 8 (for x86_64). If the key_size is 4, that means pptr is stored in a location which is 4 byte aligned but not 8 byte aligned. In mm/kmemleak.c, scan_block() scans the memory based on 8 byte stride, so it won't detect above pptr, hence reporting the memory leak. In htab_map_alloc(), we already have htab->elem_size = sizeof(struct htab_elem) + round_up(htab->map.key_size, 8); if (percpu) htab->elem_size += sizeof(void *); else htab->elem_size += round_up(htab->map.value_size, 8); So storing pptr with 8-byte alignment won't cause any problem and can fix kmemleak too. The issue can be reproduced with bpf selftest as well: 1. Enable CONFIG_DEBUG_KMEMLEAK config 2. Add a getchar() before skel destroy in test_hash_map() in prog_tests/for_each.c. The purpose is to keep map available so kmemleak can be detected. 3. run './test_progs -t for_each/hash_map &' and a kmemleak should be reported.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37808", "url": "https://ubuntu.com/security/CVE-2025-37808", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: null - Use spin lock instead of mutex As the null algorithm may be freed in softirq context through af_alg, use spin locks instead of mutexes to protect the default null algorithm.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37809", "url": "https://ubuntu.com/security/CVE-2025-37809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: class: Fix NULL pointer access Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer dereference. This patch adds a mutex to protect USB device pointers and prevent this issue. The same mutex protects both the device pointers and the partner device registration.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37810", "url": "https://ubuntu.com/security/CVE-2025-37810", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: check that event count does not exceed event buffer length The event count is read from register DWC3_GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : __memcpy+0x114/0x180 lr : dwc3_check_event_buf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Call trace: __memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37811", "url": "https://ubuntu.com/security/CVE-2025-37811", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: ci_hdrc_imx: fix usbmisc handling usbmisc is an optional device property so it is totally valid for the corresponding data->usbmisc_data to have a NULL value. Check that before dereferencing the pointer. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37812", "url": "https://ubuntu.com/security/CVE-2025-37812", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Fix deadlock when using NCM gadget The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit 58f2fcb3a845 (\"usb: cdnsp: Fix deadlock issue during using NCM gadget\"). Under PREEMPT_RT the deadlock can be readily triggered by heavy network traffic, for example using \"iperf --bidir\" over NCM ethernet link. The deadlock occurs because the threaded interrupt handler gets preempted by a softirq, but both are protected by the same spinlock. Prevent deadlock by disabling softirq during threaded irq handler.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37813", "url": "https://ubuntu.com/security/CVE-2025-37813", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so enqueue can already point at the final link TRB of a segment. And indeed it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right away or load some junk which may look like a link TRB and cause the real link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer and always gives correct result. Something has crashed my machine twice in recent days while playing with an Etron HC, and a control transfer stress test ran for confirmation has just crashed it again. The same test passes with this patch applied.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37814", "url": "https://ubuntu.com/security/CVE-2025-37814", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT This requirement was overeagerly loosened in commit 2f83e38a095f (\"tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN\"), but as it turns out, (1) the logic I implemented there was inconsistent (apologies!), (2) TIOCL_SELMOUSEREPORT might actually be a small security risk after all, and (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN already. In more detail: 1. The previous patch has inconsistent logic: In commit 2f83e38a095f (\"tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN\"), we checked for sel_mode == TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of this \"mode\" parameter were actually used as an additional way to pass an argument. So the patch did actually still require CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not require it if none of the mouse buttons bits are set. This logic is inconsistent and was not intentional. We should have the same policies for using TIOCL_SELMOUSEREPORT independent of the value of the \"hidden\" mouse button argument. I sent a separate documentation patch to the man page list with more details on TIOCL_SELMOUSEREPORT: https://lore.kernel.org/all/20250223091342.35523-2-gnoack3000@gmail.com/ 2. TIOCL_SELMOUSEREPORT is indeed a potential security risk which can let an attacker simulate \"keyboard\" input to command line applications on the same terminal, like TIOCSTI and some other TIOCLINUX \"selection mode\" IOCTLs. By enabling mouse reporting on a terminal and then injecting mouse reports through TIOCL_SELMOUSEREPORT, an attacker can simulate mouse movements on the same terminal, similar to the TIOCSTI keystroke injection attacks that were previously possible with TIOCSTI and other TIOCL_SETSEL selection modes. Many programs (including libreadline/bash) are then prone to misinterpret these mouse reports as normal keyboard input because they do not expect input in the X11 mouse protocol form. The attacker does not have complete control over the escape sequence, but they can at least control the values of two consecutive bytes in the binary mouse reporting escape sequence. I went into more detail on that in the discussion at https://lore.kernel.org/all/20250221.0a947528d8f3@gnoack.org/ It is not equally trivial to simulate arbitrary keystrokes as it was with TIOCSTI (commit 83efeeeb3d04 (\"tty: Allow TIOCSTI to be disabled\")), but the general mechanism is there, and together with the small number of existing legit use cases (see below), it would be better to revert back to requiring CAP_SYS_ADMIN for TIOCL_SELMOUSEREPORT, as it was already the case before commit 2f83e38a095f (\"tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN\"). 3. TIOCL_SELMOUSEREPORT is only used by the mouse daemons (GPM or Consolation), and they are the only legit use case: To quote console_codes(4): The mouse tracking facility is intended to return xterm(1)-compatible mouse status reports. Because the console driver has no way to know the device or type of the mouse, these reports are returned in the console input stream only when the virtual terminal driver receives a mouse update ioctl. These ioctls must be generated by a mouse-aware user-mode application such as the gpm(8) daemon. Jared Finder has also confirmed in https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/ that Emacs does not call TIOCL_SELMOUSEREPORT directly, and it would be difficult to find good reasons for doing that, given that it would interfere with the reports that GPM is sending. More information on the interaction between GPM, terminals and th ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37815", "url": "https://ubuntu.com/security/CVE-2025-37815", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Resolve kernel panic while accessing IRQ handler associated with the generated IRQ. This is done by acquiring the spinlock and storing the current interrupt state before handling the interrupt request using generic_handle_irq. A previous fix patch was submitted where 'generic_handle_irq' was replaced with 'handle_nested_irq'. However, this change also causes the kernel panic where after determining which GPIO triggered the interrupt and attempting to call handle_nested_irq with the mapped IRQ number, leads to a failure in locating the registered handler.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37885", "url": "https://ubuntu.com/security/CVE-2025-37885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reset IRTE to host control if *new* route isn't postable Restore an IRTE back to host control (remapped or posted MSI mode) if the *new* GSI route prevents posting the IRQ directly to a vCPU, regardless of the GSI routing type. Updating the IRTE if and only if the new GSI is an MSI results in KVM leaving an IRTE posting to a vCPU. The dangling IRTE can result in interrupts being incorrectly delivered to the guest, and in the worst case scenario can result in use-after-free, e.g. if the VM is torn down, but the underlying host IRQ isn't freed.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37816", "url": "https://ubuntu.com/security/CVE-2025-37816", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mei: vsc: Fix fortify-panic caused by invalid counted_by() use gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length *without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to buf[] the fortify-panic handler gets triggered: [ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50 ... [ 80.843175] __fortify_panic+0x9/0xb [ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw] [ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110 [ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc] [ 80.843270] mei_reset+0x11d/0x420 [mei] The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsc_tp_xfer_helper() which only contains enough room for the packet-header, all other uses of vsc_tp_packet always use a buffer of VSC_TP_MAX_XFER_SIZE bytes for the packet. Instead of just dropping the counted-by, split the vsc_tp_packet struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37817", "url": "https://ubuntu.com/security/CVE-2025-37817", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' would be released in mcb_device_register() via put_device(). Thus, goto 'err' label and free 'mdev' again causes a double free. Just return if mcb_device_register() fails.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37818", "url": "https://ubuntu.com/security/CVE-2025-37818", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: LoongArch: Return NULL from huge_pte_offset() for invalid PMD LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot even if the underlying entry points to invalid_pte_table (indicating no mapping). Callers like smaps_hugetlb_range() fetch this invalid entry value (the address of invalid_pte_table) via this pointer. The generic is_swap_pte() check then incorrectly identifies this address as a swap entry on LoongArch, because it satisfies the \"!pte_present() && !pte_none()\" conditions. This misinterpretation, combined with a coincidental match by is_migration_entry() on the address bits, leads to kernel crashes in pfn_swap_entry_to_page(). Fix this at the architecture level by modifying huge_pte_offset() to check the PMD entry's content using pmd_none() before returning. If the entry is invalid (i.e., it points to invalid_pte_table), return NULL instead of the pointer to the slot.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37819", "url": "https://ubuntu.com/security/CVE-2025-37819", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548 This is easily reproducible on a Juno board with ACPI boot. Retain the function for later use.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37820", "url": "https://ubuntu.com/security/CVE-2025-37820", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL pointer dereference if the result is used later in processing, potentially causing crashes, data corruption, or undefined behavior. On XDP redirect failure, the associated page must be released explicitly if it was previously retained via get_page(). Failing to do so may result in a memory leak, as the pages reference count is not decremented.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37821", "url": "https://ubuntu.com/security/CVE-2025-37821", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash There is a code path in dequeue_entities() that can set the slice of a sched_entity to U64_MAX, which sometimes results in a crash. The offending case is when dequeue_entities() is called to dequeue a delayed group entity, and then the entity's parent's dequeue is delayed. In that case: 1. In the if (entity_is_task(se)) else block at the beginning of dequeue_entities(), slice is set to cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX. 2. The first for_each_sched_entity() loop dequeues the entity. 3. If the entity was its parent's only child, then the next iteration tries to dequeue the parent. 4. If the parent's dequeue needs to be delayed, then it breaks from the first for_each_sched_entity() loop _without updating slice_. 5. The second for_each_sched_entity() loop sets the parent's ->slice to the saved slice, which is still U64_MAX. This throws off subsequent calculations with potentially catastrophic results. A manifestation we saw in production was: 6. In update_entity_lag(), se->slice is used to calculate limit, which ends up as a huge negative number. 7. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit is negative, vlag > limit, so se->vlag is set to the same huge negative number. 8. In place_entity(), se->vlag is scaled, which overflows and results in another huge (positive or negative) number. 9. The adjusted lag is subtracted from se->vruntime, which increases or decreases se->vruntime by a huge number. 10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which incorrectly returns false because the vruntime is so far from the other vruntimes on the queue, causing the (vruntime - cfs_rq->min_vruntime) * load calulation to overflow. 11. Nothing appears to be eligible, so pick_eevdf() returns NULL. 12. pick_next_entity() tries to dereference the return value of pick_eevdf() and crashes. Dumping the cfs_rq states from the core dumps with drgn showed tell-tale huge vruntime ranges and bogus vlag values, and I also traced se->slice being set to U64_MAX on live systems (which was usually \"benign\" since the rest of the runqueue needed to be in a particular state to crash). Fix it in dequeue_entities() by always setting slice from the first non-empty cfs_rq.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37822", "url": "https://ubuntu.com/security/CVE-2025-37822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: uprobes: Add missing fence.i after building the XOL buffer The XOL (execute out-of-line) buffer is used to single-step the replaced instruction(s) for uprobes. The RISC-V port was missing a proper fence.i (i$ flushing) after constructing the XOL buffer, which can result in incorrect execution of stale/broken instructions. This was found running the BPF selftests \"test_progs: uprobe_autoattach, attach_probe\" on the Spacemit K1/X60, where the uprobes tests randomly blew up.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37886", "url": "https://ubuntu.com/security/CVE-2025-37886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pds_core: make wait_context part of q_info Make the wait_context a full part of the q_info struct rather than a stack variable that goes away after pdsc_adminq_post() is done so that the context is still available after the wait loop has given up. There was a case where a slow development firmware caused the adminq request to time out, but then later the FW finally finished the request and sent the interrupt. The handler tried to complete_all() the completion context that had been created on the stack in pdsc_adminq_post() but no longer existed. This caused bad pointer usage, kernel crashes, and much wailing and gnashing of teeth.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37887", "url": "https://ubuntu.com/security/CVE-2025-37887", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result If the FW doesn't support the PDS_CORE_CMD_FW_CONTROL command the driver might at the least print garbage and at the worst crash when the user runs the \"devlink dev info\" devlink command. This happens because the stack variable fw_list is not 0 initialized which results in fw_list.num_fw_slots being a garbage value from the stack. Then the driver tries to access fw_list.fw_names[i] with i >= ARRAY_SIZE and runs off the end of the array. Fix this by initializing the fw_list and by not failing completely if the devcmd fails because other useful information is printed via devlink dev info even if the devcmd fails.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37823", "url": "https://ubuntu.com/security/CVE-2025-37823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37797", "url": "https://ubuntu.com/security/CVE-2025-37797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.", "cve_priority": "medium", "cve_public_date": "2025-05-02 15:15:00 UTC" }, { "cve": "CVE-2025-37824", "url": "https://ubuntu.com/security/CVE-2025-37824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() syzbot reported: tipc: Node number set to 1055423674 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events tipc_net_finalize_work RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ... RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 There is a racing condition between workqueue created when enabling bearer and another thread created when disabling bearer right after that as follow: enabling_bearer | disabling_bearer --------------- | ---------------- tipc_disc_timeout() | { | bearer_disable() ... | { schedule_work(&tn->work); | tipc_mon_delete() ... | { } | ... | write_lock_bh(&mon->lock); | mon->self = NULL; | write_unlock_bh(&mon->lock); | ... | } tipc_net_finalize_work() | } { | ... | tipc_net_finalize() | { | ... | tipc_mon_reinit_self() | { | ... | write_lock_bh(&mon->lock); | mon->self->addr = tipc_own_addr(net); | write_unlock_bh(&mon->lock); | ... ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37825", "url": "https://ubuntu.com/security/CVE-2025-37825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet: fix out-of-bounds access in nvmet_enable_port When trying to enable a port that has no transport configured yet, nvmet_enable_port() uses NVMF_TRTYPE_MAX (255) to query the transports array, causing an out-of-bounds access: [ 106.058694] BUG: KASAN: global-out-of-bounds in nvmet_enable_port+0x42/0x1da [ 106.058719] Read of size 8 at addr ffffffff89dafa58 by task ln/632 [...] [ 106.076026] nvmet: transport type 255 not supported Since commit 200adac75888, NVMF_TRTYPE_MAX is the default state as configured by nvmet_ports_make(). Avoid this by checking for NVMF_TRTYPE_MAX before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37826", "url": "https://ubuntu.com/security/CVE-2025-37826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Add NULL check in ufshcd_mcq_compl_pending_transfer() Add a NULL check for the returned hwq pointer by ufshcd_mcq_req_to_hwq(). This is similar to the fix in commit 74736103fb41 (\"scsi: ufs: core: Fix ufshcd_abort_one racing issue\").", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37888", "url": "https://ubuntu.com/security/CVE-2025-37888", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Add NULL check for mlx5_get_flow_namespace() returns in mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37827", "url": "https://ubuntu.com/security/CVE-2025-37827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: return EIO on RAID1 block group write pointer mismatch There was a bug report about a NULL pointer dereference in __btrfs_add_free_space_zoned() that ultimately happens because a conversion from the default metadata profile DUP to a RAID1 profile on two disks. The stack trace has the following signature: BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001 RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410 RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000 R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000 FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0 Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15c/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 btrfs_add_free_space_async_trimmed+0x34/0x40 btrfs_add_new_free_space+0x107/0x120 btrfs_make_block_group+0x104/0x2b0 btrfs_create_chunk+0x977/0xf20 btrfs_chunk_alloc+0x174/0x510 ? srso_return_thunk+0x5/0x5f btrfs_inc_block_group_ro+0x1b1/0x230 btrfs_relocate_block_group+0x9e/0x410 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x8ac/0x12b0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? __kmalloc_cache_noprof+0x14c/0x3e0 btrfs_ioctl+0x2686/0x2a80 ? srso_return_thunk+0x5/0x5f ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x82/0x160 ? srso_return_thunk+0x5/0x5f ? __memcg_slab_free_hook+0x11a/0x170 ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x3f0/0x450 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? sysfs_emit+0xaf/0xc0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? seq_read_iter+0x207/0x460 ? srso_return_thunk+0x5/0x5f ? vfs_read+0x29c/0x370 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? srso_return_thunk+0x5/0x5f ? exc_page_fault+0x7e/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdab1e0ca6d RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001 CR2: 0000000000000058 ---[ end trace 0000000000000000 ]--- The 1st line is the most interesting here: BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile When a RAID1 block-group is created and a write pointer mismatch between the disks in the RAID set is detected, btrfs sets the alloc_offset to the length of the block group marking it as full. Afterwards the code expects that a balance operation will evacuate the data in this block-group and repair the problems. But before this is possible, the new space of this block-group will be accounted in the free space cache. But in __btrfs_ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37828", "url": "https://ubuntu.com/security/CVE-2025-37828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort() A race can occur between the MCQ completion path and the abort handler: once a request completes, __blk_mq_free_request() sets rq->mq_hctx to NULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in ufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is dereferenced, the kernel will crash. Add a NULL check for the returned hwq pointer. If hwq is NULL, log an error and return FAILED, preventing a potential NULL-pointer dereference. As suggested by Bart, the ufshcd_cmd_inflight() check is removed. This is similar to the fix in commit 74736103fb41 (\"scsi: ufs: core: Fix ufshcd_abort_one racing issue\"). This is found by our static analysis tool KNighter.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37829", "url": "https://ubuntu.com/security/CVE-2025-37829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. scpi_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37830", "url": "https://ubuntu.com/security/CVE-2025-37830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference. Add NULL check after cpufreq_cpu_get_raw() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37831", "url": "https://ubuntu.com/security/CVE-2025-37831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. apple_soc_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37832", "url": "https://ubuntu.com/security/CVE-2025-37832", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "negligible", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37833", "url": "https://ubuntu.com/security/CVE-2025-37833", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads Fix niu_try_msix() to not cause a fatal trap on sparc systems. Set PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST on the struct pci_dev to work around a bug in the hardware or firmware. For each vector entry in the msix table, niu chips will cause a fatal trap if any registers in that entry are read before that entries' ENTRY_DATA register is written to. Testing indicates writes to other registers are not sufficient to prevent the fatal trap, however the value does not appear to matter. This only needs to happen once after power up, so simply rebooting into a kernel lacking this fix will NOT cause the trap. NON-RESUMABLE ERROR: Reporting on cpu 64 NON-RESUMABLE ERROR: TPC [0x00000000005f6900] NON-RESUMABLE ERROR: RAW [4010000000000016:00000e37f93e32ff:0000000202000080:ffffffffffffffff NON-RESUMABLE ERROR: 0000000800000000:0000000000000000:0000000000000000:0000000000000000] NON-RESUMABLE ERROR: handle [0x4010000000000016] stick [0x00000e37f93e32ff] NON-RESUMABLE ERROR: type [precise nonresumable] NON-RESUMABLE ERROR: attrs [0x02000080] < ASI sp-faulted priv > NON-RESUMABLE ERROR: raddr [0xffffffffffffffff] NON-RESUMABLE ERROR: insn effective address [0x000000c50020000c] NON-RESUMABLE ERROR: size [0x8] NON-RESUMABLE ERROR: asi [0x00] CPU: 64 UID: 0 PID: 745 Comm: kworker/64:1 Not tainted 6.11.5 #63 Workqueue: events work_for_cpu_fn TSTATE: 0000000011001602 TPC: 00000000005f6900 TNPC: 00000000005f6904 Y: 00000000 Not tainted TPC: g0: 00000000000002e9 g1: 000000000000000c g2: 000000c50020000c g3: 0000000000000100 g4: ffff8000470307c0 g5: ffff800fec5be000 g6: ffff800047a08000 g7: 0000000000000000 o0: ffff800014feb000 o1: ffff800047a0b620 o2: 0000000000000011 o3: ffff800047a0b620 o4: 0000000000000080 o5: 0000000000000011 sp: ffff800047a0ad51 ret_pc: 00000000005f7128 RPC: <__pci_enable_msix_range+0x3cc/0x460> l0: 000000000000000d l1: 000000000000c01f l2: ffff800014feb0a8 l3: 0000000000000020 l4: 000000000000c000 l5: 0000000000000001 l6: 0000000020000000 l7: ffff800047a0b734 i0: ffff800014feb000 i1: ffff800047a0b730 i2: 0000000000000001 i3: 000000000000000d i4: 0000000000000000 i5: 0000000000000000 i6: ffff800047a0ae81 i7: 00000000101888b0 I7: Call Trace: [<00000000101888b0>] niu_try_msix.constprop.0+0xc0/0x130 [niu] [<000000001018f840>] niu_get_invariants+0x183c/0x207c [niu] [<00000000101902fc>] niu_pci_init_one+0x27c/0x2fc [niu] [<00000000005ef3e4>] local_pci_probe+0x28/0x74 [<0000000000469240>] work_for_cpu_fn+0x8/0x1c [<000000000046b008>] process_scheduled_works+0x144/0x210 [<000000000046b518>] worker_thread+0x13c/0x1c0 [<00000000004710e0>] kthread+0xb8/0xc8 [<00000000004060c8>] ret_from_fork+0x1c/0x2c [<0000000000000000>] 0x0 Kernel panic - not syncing: Non-resumable error.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37834", "url": "https://ubuntu.com/security/CVE-2025-37834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: don't try to reclaim hwpoison folio Syzkaller reports a bug as follows: Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e memcg:ffff0000dd6d9000 anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) ------------[ cut here ]------------ kernel BUG at mm/swap_state.c:184! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 Hardware name: linux,dummy-virt (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : add_to_swap+0xbc/0x158 lr : add_to_swap+0xbc/0x158 sp : ffff800087f37340 x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 Call trace: add_to_swap+0xbc/0x158 shrink_folio_list+0x12ac/0x2648 shrink_inactive_list+0x318/0x948 shrink_lruvec+0x450/0x720 shrink_node_memcgs+0x280/0x4a8 shrink_node+0x128/0x978 balance_pgdat+0x4f0/0xb20 kswapd+0x228/0x438 kthread+0x214/0x230 ret_from_fork+0x10/0x20 I can reproduce this issue with the following steps: 1) When a dirty swapcache page is isolated by reclaim process and the page isn't locked, inject memory failure for the page. me_swapcache_dirty() clears uptodate flag and tries to delete from lru, but fails. Reclaim process will put the hwpoisoned page back to lru. 2) The process that maps the hwpoisoned page exits, the page is deleted the page will never be freed and will be in the lru forever. 3) If we trigger a reclaim again and tries to reclaim the page, add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is cleared. To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap it in shrink_folio_list(), otherwise the folio will fail to be unmaped by hwpoison_user_mappings() since the folio isn't in lru list.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37838", "url": "https://ubuntu.com/security/CVE-2025-37838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().", "cve_priority": "medium", "cve_public_date": "2025-04-18 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2121653, 1786013, 2120454, 2111521, 2120233, 2116247, 2115478, 2118499, 2116175, 2119526, 2115393, 2115738, 2118965, 2112330, 2111231, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119039, 2119039, 2119039, 2119039, 2119039, 2119010, 2119010, 2119010, 2119010, 2115678, 2115678, 2115678, 2115678, 2115678, 2121449, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2117649, 1786013, 2083800, 2116072, 2115898, 2115068, 2114516, 2113990, 2115022, 2114697, 2115174, 2114450, 2114258, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2113992, 2117494, 2116061, 2114501, 1786013, 2107976, 2112462, 2112469, 2114174, 2114174, 2114174, 2112582, 2109951, 2110090, 2111861, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2107320, 2109543, 2105402, 2111404, 2110289, 2110652, 2111244, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 1786013, 2109741, 1786013, 2109367, 2108854, 2108854, 2103496, 2103617, 2103480, 2104893, 2106449, 2097818, 2107212, 2106661, 2106281 ], "changes": [ { "cves": [ { "cve": "CVE-2025-38105", "url": "https://ubuntu.com/security/CVE-2025-38105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(), so that the timer can be killed properly. While we're at it, replace the existing timer_delete_sync() at the disconnect callback with timer_shutdown_sync(), too.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38114", "url": "https://ubuntu.com/security/CVE-2025-38114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: e1000: Move cancel_work_sync to avoid deadlock Previously, e1000_down called cancel_work_sync for the e1000 reset task (via e1000_down_and_stop), which takes RTNL. As reported by users and syzbot, a deadlock is possible in the following scenario: CPU 0: - RTNL is held - e1000_close - e1000_down - cancel_work_sync (cancel / wait for e1000_reset_task()) CPU 1: - process_one_work - e1000_reset_task - take RTNL To remedy this, avoid calling cancel_work_sync from e1000_down (e1000_reset_task does nothing if the device is down anyway). Instead, call cancel_work_sync for e1000_reset_task when the device is being removed.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38116", "url": "https://ubuntu.com/security/CVE-2025-38116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequent access to this notifier chain. Fixes the issue by calling ath12k_core_panic_notifier_unregister() in failure cases. Call trace: notifier_chain_register+0x4c/0x1f0 (P) atomic_notifier_chain_register+0x38/0x68 ath12k_core_init+0x50/0x4e8 [ath12k] ath12k_pci_probe+0x5f8/0xc28 [ath12k] pci_device_probe+0xbc/0x1a8 really_probe+0xc8/0x3a0 __driver_probe_device+0x84/0x1b0 driver_probe_device+0x44/0x130 __driver_attach+0xcc/0x208 bus_for_each_dev+0x84/0x100 driver_attach+0x2c/0x40 bus_add_driver+0x130/0x260 driver_register+0x70/0x138 __pci_register_driver+0x68/0x80 ath12k_pci_init+0x30/0x68 [ath12k] ath12k_init+0x28/0x78 [ath12k] Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38306", "url": "https://ubuntu.com/security/CVE-2025-38306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/fhandle.c: fix a race in call of has_locked_children() may_decode_fh() is calling has_locked_children() while holding no locks. That's an oopsable race... The rest of the callers are safe since they are holding namespace_sem and are guaranteed a positive refcount on the mount in question. Rename the current has_locked_children() to __has_locked_children(), make it static and switch the fs/namespace.c users to it. Make has_locked_children() a wrapper for __has_locked_children(), calling the latter under read_seqlock_excl(&mount_lock).", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38272", "url": "https://ubuntu.com/security/CVE-2025-38272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. If one of these PHYs are EEE capable, we may try to enable EEE for the MACs, which then hangs the system on access of the (non-existent) EEE registers. Fix this by checking if the switch actually supports EEE before attempting to configure it.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38311", "url": "https://ubuntu.com/security/CVE-2025-38311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock. That frees us from the error prone logic of try_locks. Thanks to netdev_lock() by Jakub it is now easy, and in most cases we were protected by it already - replace crit lock by netdev lock when it was not the case. Lockdep reports that we should cancel the work under crit_lock [splat1], and that was the scheme we have mostly followed since [1] by Slawomir. But when that is done we still got into deadlocks [splat2]. So instead we should look at the bigger problem, namely \"weird locking/scheduling\" of the iavf. The first step to fix that is to remove the crit lock. I will followup with a -next series that simplifies scheduling/tasks. Cancel the work without netdev lock (weird unlock+lock scheme), to fix the [splat2] (which would be totally ugly if we would kept the crit lock). Extend protected part of iavf_watchdog_task() to include scheduling more work. Note that the removed comment in iavf_reset_task() was misplaced, it belonged to inside of the removed if condition, so it's gone now. [splat1] - w/o this patch - The deadlock during VF removal: WARNING: possible circular locking dependency detected sh/3825 is trying to acquire lock: ((work_completion)(&(&adapter->watchdog_task)->work)){+.+.}-{0:0}, at: start_flush_work+0x1a1/0x470 but task is already holding lock: (&adapter->crit_lock){+.+.}-{4:4}, at: iavf_remove+0xd1/0x690 [iavf] which lock already depends on the new lock. [splat2] - when cancelling work under crit lock, w/o this series, \t see [2] for the band aid attempt WARNING: possible circular locking dependency detected sh/3550 is trying to acquire lock: ((wq_completion)iavf){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: (&dev->lock){+.+.}-{4:4}, at: iavf_remove+0xa6/0x6e0 [iavf] which lock already depends on the new lock. [1] fc2e6b3b132a (\"iavf: Rework mutexes for better synchronisation\") [2] https://github.com/pkitszel/linux/commit/52dddbfc2bb60294083f5711a158a", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38128", "url": "https://ubuntu.com/security/CVE-2025-38128", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands In 'mgmt_hci_cmd_sync()', check whether the size of parameters passed in 'struct mgmt_cp_hci_cmd_sync' matches the total size of the data (i.e. 'sizeof(struct mgmt_cp_hci_cmd_sync)' plus trailing bytes). Otherwise, large invalid 'params_len' will cause 'hci_cmd_sync_alloc()' to do 'skb_put_data()' from an area beyond the one actually passed to 'mgmt_hci_cmd_sync()'.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38130", "url": "https://ubuntu.com/security/CVE-2025-38130", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/connector: only call HDMI audio helper plugged cb if non-null On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb with NULL as the callback function and codec_dev, as seen in its hdmi_remove function. The HDMI audio helper then happily tries calling said null function pointer, and produces an Oops as a result. Fix this by only executing the callback if fn is non-null. This means the .plugged_cb and .plugged_cb_dev members still get appropriately cleared.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38132", "url": "https://ubuntu.com/security/CVE-2025-38132", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() cscfg_remove_owned_csdev_configs() // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) iterating config_csdev_list could be raced with config_csdev_list's entry delete. To resolve this race , hold csdev->cscfg_csdev_lock() while cscfg_remove_owned_csdev_configs()", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38137", "url": "https://ubuntu.com/security/CVE-2025-38137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Cancel outstanding rescan work when unregistering It's possible to trigger use-after-free here by: (a) forcing rescan_work_func() to take a long time and (b) utilizing a pwrctrl driver that may be unloaded for some reason Cancel outstanding work to ensure it is finished before we allow our data structures to be cleaned up. [bhelgaas: tidy commit log]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38139", "url": "https://ubuntu.com/security/CVE-2025-38139", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfs: Fix oops in write-retry from mis-resetting the subreq iterator Fix the resetting of the subrequest iterator in netfs_retry_write_stream() to use the iterator-reset function as the iterator may have been shortened by a previous retry. In such a case, the amount of data to be written by the subrequest is not \"subreq->len\" but \"subreq->len - subreq->transferred\". Without this, KASAN may see an error in iov_iter_revert(): BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147 CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound netfs_write_collection_worker Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 iov_iter_revert lib/iov_iter.c:633 [inline] iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline] netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231 netfs_collect_write_results fs/netfs/write_collect.c:352 [inline] netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38140", "url": "https://ubuntu.com/security/CVE-2025-38140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: limit swapping tables for devices with zone write plugs dm_revalidate_zones() only allowed new or previously unzoned devices to call blk_revalidate_disk_zones(). If the device was already zoned, disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones() returned without doing any work. This would make the zoned settings for the device not match the new table. If the device had zone write plug resources, it could run into errors like bdev_zone_is_seq() reading invalid memory because disk->conv_zones_bitmap was the wrong size. If the device doesn't have any zone write plug resources, calling blk_revalidate_disk_zones() will always correctly update device. If blk_revalidate_disk_zones() fails, it can still overwrite or clear the current disk->nr_zones value. In this case, DM must restore the previous value of disk->nr_zones, so that the zoned settings will continue to match the previous value that it fell back to. If the device already has zone write plug resources, blk_revalidate_disk_zones() will not correctly update them, if it is called for arbitrary zoned device changes. Since there is not much need for this ability, the easiest solution is to disallow any table reloads that change the zoned settings, for devices that already have zone plug resources. Specifically, if a device already has zone plug resources allocated, it can only switch to another zoned table that also emulates zone append. Also, it cannot change the device size or the zone size. A device can switch to an error target.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38279", "url": "https://ubuntu.com/security/CVE-2025-38279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Do not include stack ptr register in precision backtracking bookkeeping Yi Lai reported an issue ([1]) where the following warning appears in kernel dmesg: [ 60.643604] verifier backtracking bug [ 60.643635] WARNING: CPU: 10 PID: 2315 at kernel/bpf/verifier.c:4302 __mark_chain_precision+0x3a6c/0x3e10 [ 60.648428] Modules linked in: bpf_testmod(OE) [ 60.650471] CPU: 10 UID: 0 PID: 2315 Comm: test_progs Tainted: G OE 6.15.0-rc4-gef11287f8289-dirty #327 PREEMPT(full) [ 60.654385] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 60.656682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 60.660475] RIP: 0010:__mark_chain_precision+0x3a6c/0x3e10 [ 60.662814] Code: 5a 30 84 89 ea e8 c4 d9 01 00 80 3d 3e 7d d8 04 00 0f 85 60 fa ff ff c6 05 31 7d d8 04 01 48 c7 c7 00 58 30 84 e8 c4 06 a5 ff <0f> 0b e9 46 fa ff ff 48 ... [ 60.668720] RSP: 0018:ffff888116cc7298 EFLAGS: 00010246 [ 60.671075] RAX: 54d70e82dfd31900 RBX: ffff888115b65e20 RCX: 0000000000000000 [ 60.673659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 00000000ffffffff [ 60.676241] RBP: 0000000000000400 R08: ffff8881f6f23bd3 R09: 1ffff1103ede477a [ 60.678787] R10: dffffc0000000000 R11: ffffed103ede477b R12: ffff888115b60ae8 [ 60.681420] R13: 1ffff11022b6cbc4 R14: 00000000fffffff2 R15: 0000000000000001 [ 60.684030] FS: 00007fc2aedd80c0(0000) GS:ffff88826fa8a000(0000) knlGS:0000000000000000 [ 60.686837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 60.689027] CR2: 000056325369e000 CR3: 000000011088b002 CR4: 0000000000370ef0 [ 60.691623] Call Trace: [ 60.692821] [ 60.693960] ? __pfx_verbose+0x10/0x10 [ 60.695656] ? __pfx_disasm_kfunc_name+0x10/0x10 [ 60.697495] check_cond_jmp_op+0x16f7/0x39b0 [ 60.699237] do_check+0x58fa/0xab10 ... Further analysis shows the warning is at line 4302 as below: 4294 /* static subprog call instruction, which 4295 * means that we are exiting current subprog, 4296 * so only r1-r5 could be still requested as 4297 * precise, r0 and r6-r10 or any stack slot in 4298 * the current frame should be zero by now 4299 */ 4300 if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) { 4301 verbose(env, \"BUG regs %x\\n\", bt_reg_mask(bt)); 4302 WARN_ONCE(1, \"verifier backtracking bug\"); 4303 return -EFAULT; 4304 } With the below test (also in the next patch): __used __naked static void __bpf_jmp_r10(void) { \tasm volatile ( \t\"r2 = 2314885393468386424 ll;\" \t\"goto +0;\" \t\"if r2 <= r10 goto +3;\" \t\"if r1 >= -1835016 goto +0;\" \t\"if r2 <= 8 goto +0;\" \t\"if r3 <= 0 goto +0;\" \t\"exit;\" \t::: __clobber_all); } SEC(\"?raw_tp\") __naked void bpf_jmp_r10(void) { \tasm volatile ( \t\"r3 = 0 ll;\" \t\"call __bpf_jmp_r10;\" \t\"r0 = 0;\" \t\"exit;\" \t::: __clobber_all); } The following is the verifier failure log: 0: (18) r3 = 0x0 ; R3_w=0 2: (85) call pc+2 caller: R10=fp0 callee: frame1: R1=ctx() R3_w=0 R10=fp0 5: frame1: R1=ctx() R3_w=0 R10=fp0 ; asm volatile (\" \\ @ verifier_precision.c:184 5: (18) r2 = 0x20202000256c6c78 ; frame1: R2_w=0x20202000256c6c78 7: (05) goto pc+0 8: (bd) if r2 <= r10 goto pc+3 ; frame1: R2_w=0x20202000256c6c78 R10=fp0 9: (35) if r1 >= 0xffe3fff8 goto pc+0 ; frame1: R1=ctx() 10: (b5) if r2 <= 0x8 goto pc+0 mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1 mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0 mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3 mark_preci ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38314", "url": "https://ubuntu.com/security/CVE-2025-38314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Fix result size returned for the admin command completion The result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes larger than the actual result data size. This occurs because the result_sg_size field of the command is filled with the result length from virtqueue_get_buf(), which includes both the data size and an additional 8 bytes of status. This oversized result size causes two issues: 1. The state transferred to the destination includes 8 bytes of extra data at the end. 2. The allocated buffer in the kernel may be smaller than the returned size, leading to failures when reading beyond the allocated size. The commit fixes this by subtracting the status size from the result of virtqueue_get_buf(). This fix has been tested through live migrations with virtio-net, virtio-net-transitional, and virtio-blk devices.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38316", "url": "https://ubuntu.com/security/CVE-2025-38316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor() The function mt7996_set_monitor() dereferences phy before the NULL sanity check. Fix this to avoid NULL pointer dereference by moving the dereference after the check.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38281", "url": "https://ubuntu.com/security/CVE-2025-38281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt7996_thermal_init() is not checked. Add NULL check in mt7996_thermal_init(), to handle kernel NULL pointer dereference error.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38284", "url": "https://ubuntu.com/security/CVE-2025-38284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA. With NULL mmap address, kernel throws trace: BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38287", "url": "https://ubuntu.com/security/CVE-2025-38287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. The cm_id lock is not needed in this case, but a recent change re-used cm_free_priv_msg(), which asserts that the lock is held and WARNs if the cm_id's currently outstanding msg is different than the one being freed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38289", "url": "https://ubuntu.com/security/CVE-2025-38289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling. Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38291", "url": "https://ubuntu.com/security/CVE-2025-38291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace. Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery. Call Trace: dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k] ? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k] _raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_htc_send+0x178/0x390 [ath12k] ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k] ath12k_wmi_cmd_send+0x62/0x190 [ath12k] ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1 ath12k_mac_op_get_survey+0x2be/0x310 [ath12k] ieee80211_dump_survey+0x99/0x240 [mac80211] nl80211_dump_survey+0xe7/0x470 [cfg80211] ? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211] ? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 ____sys_sendmsg+0x1e4/0x260 ___sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38294", "url": "https://ubuntu.com/security/CVE-2025-38294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix NULL access in assign channel context handler Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid radio handle access by moving to the hardware debug logging helper function (ath12k_hw_warn). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38296", "url": "https://ubuntu.com/security/CVE-2025-38296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: platform_profile: Avoid initializing on non-ACPI platforms The platform profile driver is loaded even on platforms that do not have ACPI enabled. The initialization of the sysfs entries was recently moved from platform_profile_register() to the module init call, and those entries need acpi_kobj to be initialized which is not the case when ACPI is disabled. This results in the following warning: WARNING: CPU: 5 PID: 1 at fs/sysfs/group.c:131 internal_create_group+0xa22/0xdd8 Modules linked in: CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.15.0-rc7-dirty #6 PREEMPT Tainted: [W]=WARN Hardware name: riscv-virtio,qemu (DT) epc : internal_create_group+0xa22/0xdd8 ra : internal_create_group+0xa22/0xdd8 Call Trace: internal_create_group+0xa22/0xdd8 sysfs_create_group+0x22/0x2e platform_profile_init+0x74/0xb2 do_one_initcall+0x198/0xa9e kernel_init_freeable+0x6d8/0x780 kernel_init+0x28/0x24c ret_from_fork+0xe/0x18 Fix this by checking if ACPI is enabled before trying to create sysfs entries. [ rjw: Subject and changelog edits ]", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38100", "url": "https://ubuntu.com/security/CVE-2025-38100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38101", "url": "https://ubuntu.com/security/CVE-2025-38101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38267", "url": "https://ubuntu.com/security/CVE-2025-38267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that it should never have missed events. If it does, it triggers a WARN_ON_ONCE(). But there just happens to be one scenario where this can legitimately happen. That is on a commit_overrun. A commit overrun is when an interrupt preempts an event being written to the buffer and then the interrupt adds so many new events that it fills and wraps the buffer back to the commit. Any new events would then be dropped and be reported as \"missed_events\". In this case, the next page to read is the commit buffer and after the swap of the reader page, the reader page will be the commit buffer, but this time there will be missed events and this triggers the following warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace: ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90 irq event stamp: 5080 hardirqs last enabled at (5079): [] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [] __irq_exit_rcu+0x107/0x210 ---[ end trace 0000000000000000 ]--- The above was triggered by running on a kernel with both lockdep and KASAN as well as kmemleak enabled and executing the following command: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 With perf interjecting a lot of interrupts and trace-cmd enabling all events as well as function tracing, with lockdep, KASAN and kmemleak enabled, it could cause an interrupt preempting an event being written to add enough event ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38268", "url": "https://ubuntu.com/security/CVE-2025-38268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below: [110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20 [110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20 Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38102", "url": "https://ubuntu.com/security/CVE-2025-38102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace: follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]--- Digging into the source, context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow: cpu0\t\t\tcpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page \t\t\tvmci_host_do_set_notify \t\t\tvmci_ctx_unset_notify \t\t\tnotify_page = context->notify_page; \t\t\tif (notify_page) \t\t\tput_page(notify_page);\t// page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here To slove this, use local variable page to make notify_page can be seen after finish get_user_pages_fast.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38301", "url": "https://ubuntu.com/security/CVE-2025-38301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 (\"nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup\") changed the driver to expect the device pointer to be passed as the \"context\", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38352", "url": "https://ubuntu.com/security/CVE-2025-38352", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.", "cve_priority": "high", "cve_public_date": "2025-07-22 08:15:00 UTC" }, { "cve": "CVE-2025-38103", "url": "https://ubuntu.com/security/CVE-2025-38103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38302", "url": "https://ubuntu.com/security/CVE-2025-38302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work Bios queued up in the zone write plug have already gone through all all preparation in the submit_bio path, including the freeze protection. Submitting them through submit_bio_noacct_nocheck duplicates the work and can can cause deadlocks when freezing a queue with pending bio write plugs. Go straight to ->submit_bio or blk_mq_submit_bio to bypass the superfluous extra freeze protection and checks.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38106", "url": "https://ubuntu.com/security/CVE-2025-38106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xd0/0x670 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __io_uring_show_fdinfo+0x9fe/0x1790 ? ksys_read+0xf7/0x1c0 ? do_syscall_64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? __pfx___io_uring_show_fdinfo+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 ? mutex_trylock+0xcf/0x130 ? __pfx_mutex_trylock+0x10/0x10 ? __pfx_show_fd_locks+0x10/0x10 ? io_uring_show_fdinfo+0x57/0x80 io_uring_show_fdinfo+0x57/0x80 seq_show+0x38c/0x690 seq_read_iter+0x3f7/0x1180 ? inode_set_ctime_current+0x160/0x4b0 seq_read+0x271/0x3e0 ? __pfx_seq_read+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? __mark_inode_dirty+0x402/0x810 ? selinux_file_permission+0x368/0x500 ? file_update_time+0x10f/0x160 vfs_read+0x177/0xa40 ? __pfx___handle_mm_fault+0x10/0x10 ? __pfx_vfs_read+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfx_mutex_lock+0x10/0x10 ? fdget_pos+0x24d/0x4b0 ksys_read+0xf7/0x1c0 ? __pfx_ksys_read+0x10/0x10 ? do_user_addr_fault+0x43b/0x9c0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 298: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_node_noprof+0xe8/0x330 copy_process+0x376/0x5e00 create_io_thread+0xab/0xf0 io_sq_offload_create+0x9ed/0xf20 io_uring_setup+0x12b0/0x1cc0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 22: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0xc4/0x360 rcu_core+0x5ff/0x19f0 handle_softirqs+0x18c/0x530 run_ksoftirqd+0x20/0x30 smpboot_thread_fn+0x287/0x6c0 kthread+0x30d/0x630 ret_from_fork+0xef/0x1a0 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __call_rcu_common.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __cond_resched+0x4c/0x80 mutex_lock+0x5c/0xe0 io_uring_del_tctx_node+0xe1/0x2b0 io_uring_clean_tctx+0xb7/0x160 io_uring_cancel_generic+0x34e/0x760 do_exit+0x240/0x2350 do_group_exit+0xab/0x220 __x64_sys_exit_group+0x39/0x40 x64_sys_call+0x1243/0x1840 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980) which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre relase or exit of sq->thread. Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38269", "url": "https://ubuntu.com/security/CVE-2025-38269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38270", "url": "https://ubuntu.com/security/CVE-2025-38270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: drv: netdevsim: don't napi_complete() from netpoll netdevsim supports netpoll. Make sure we don't call napi_complete() from it, since it may not be scheduled. Breno reports hitting a warning in napi_complete_done(): WARNING: CPU: 14 PID: 104 at net/core/dev.c:6592 napi_complete_done+0x2cc/0x560 __napi_poll+0x2d8/0x3a0 handle_softirqs+0x1fe/0x710 This is presumably after netpoll stole the SCHED bit prematurely.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38107", "url": "https://ubuntu.com/security/CVE-2025-38107", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38108", "url": "https://ubuntu.com/security/CVE-2025-38108", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38109", "url": "https://ubuntu.com/security/CVE-2025-38109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core] [] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core] [] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core] [] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core] [] mlx5_sriov_detach+0x40/0x50 [mlx5_core] [] mlx5_unload+0x40/0xc4 [mlx5_core] [] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core] [] mlx5_unload_one+0x3c/0x60 [mlx5_core] [] shutdown+0x7c/0xa4 [mlx5_core] [] pci_device_shutdown+0x3c/0xa0 [] device_shutdown+0x170/0x340 [] __do_sys_reboot+0x1f4/0x2a0 [] __arm64_sys_reboot+0x2c/0x40 [] invoke_syscall+0x78/0x100 [] el0_svc_common.constprop.0+0x54/0x184 [] do_el0_svc+0x30/0xac [] el0_svc+0x48/0x160 [] el0t_64_sync_handler+0xa4/0x12c [] el0t_64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38303", "url": "https://ubuntu.com/security/CVE-2025-38303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38304", "url": "https://ubuntu.com/security/CVE-2025-38304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38110", "url": "https://ubuntu.com/security/CVE-2025-38110", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38111", "url": "https://ubuntu.com/security/CVE-2025-38111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38112", "url": "https://ubuntu.com/security/CVE-2025-38112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereference. Ensure the function pointer does not turn NULL after the check.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38113", "url": "https://ubuntu.com/security/CVE-2025-38113", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8 ... [ 0.403255] [] cppc_allow_fast_switch+0x6a/0xd4 ... Kernel panic - not syncing: Attempted to kill init! [ rjw: New subject ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38088", "url": "https://ubuntu.com/security/CVE-2025-38088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size.", "cve_priority": "medium", "cve_public_date": "2025-06-30 08:15:00 UTC" }, { "cve": "CVE-2025-38115", "url": "https://ubuntu.com/security/CVE-2025-38115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K to-lb tso off # force qdisc to requeue gso_skb ip netns exec lb ethtool -K in-lb gro on # enable NAPI ip link set dev to-lb up ip -netns lb link set dev in-lb up ip addr add dev to-lb 192.168.20.1/24 ip -netns lb addr add dev in-lb 192.168.20.2/24 tc qdisc replace dev to-lb root sfq limit 100 ip netns exec lb netserver netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 &", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38414", "url": "https://ubuntu.com/security/CVE-2025-38414", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash on some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to register table to allow different definitions. Then correct the register address for WCN7850 to fix this issue. Note IPQ5332 is not affected as it is not PCIe based device. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-25 14:15:00 UTC" }, { "cve": "CVE-2025-38305", "url": "https://ubuntu.com/security/CVE-2025-38305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38117", "url": "https://ubuntu.com/security/CVE-2025-38117", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379 hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223 pending_find net/bluetooth/mgmt.c:947 [inline] remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445 hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x25c/0x378 net/socket.c:1131 new_sync_write fs/read_write.c:591 [inline] vfs_write+0x62c/0x97c fs/read_write.c:684 ksys_write+0x120/0x210 fs/read_write.c:736 __do_sys_write fs/read_write.c:747 [inline] __se_sys_write fs/read_write.c:744 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:744 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 7037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198 sk_alloc+0x44/0x3ac net/core/sock.c:2254 bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148 hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202 bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132 __sock_create+0x43c/0x91c net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0xd4/0x1c0 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1695 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6607: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38118", "url": "https://ubuntu.com/security/CVE-2025-38118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38119", "url": "https://ubuntu.com/security/CVE-2025-38119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has been called instead of before. Backtrace: __switch_to+0x174/0x338 __schedule+0x600/0x9e4 schedule+0x7c/0xe8 schedule_timeout+0xa4/0x1c8 io_schedule_timeout+0x48/0x70 wait_for_common_io+0xa8/0x160 //waiting on START_STOP wait_for_completion_io_timeout+0x10/0x20 blk_execute_rq+0xe4/0x1e4 scsi_execute_cmd+0x108/0x244 ufshcd_set_dev_pwr_mode+0xe8/0x250 __ufshcd_wl_resume+0x94/0x354 ufshcd_wl_runtime_resume+0x3c/0x174 scsi_runtime_resume+0x64/0xa4 rpm_resume+0x15c/0xa1c __pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing ufshcd_err_handler+0x1a0/0xd08 process_one_work+0x174/0x808 worker_thread+0x15c/0x490 kthread+0xf4/0x1ec ret_from_fork+0x10/0x20 [ bvanassche: rewrote patch description ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38307", "url": "https://ubuntu.com/security/CVE-2025-38307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element at index 0 ends with null-ptr-deref.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38310", "url": "https://ubuntu.com/security/CVE-2025-38310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38120", "url": "https://ubuntu.com/security/CVE-2025-38120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38122", "url": "https://ubuntu.com/security/CVE-2025-38122", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fails. This improves robustness in low-memory scenarios.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38123", "url": "https://ubuntu.com/security/CVE-2025-38123", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix napi rx poll issue When driver handles the napi rx polling requests, the netdev might have been released by the dellink logic triggered by the disconnect operation on user plane. However, in the logic of processing skb in polling, an invalid netdev is still being used, which causes a panic. BUG: kernel NULL pointer dereference, address: 00000000000000f1 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:dev_gro_receive+0x3a/0x620 [...] Call Trace: ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)] ? dev_gro_receive+0x3a/0x620 napi_gro_receive+0xad/0x170 t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)] t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)] net_rx_action+0x103/0x470 irq_exit_rcu+0x13a/0x310 sysvec_apic_timer_interrupt+0x56/0x90 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38124", "url": "https://ubuntu.com/security/CVE-2025-38124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after pull from frag_list\") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38125", "url": "https://ubuntu.com/security/CVE-2025-38125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38126", "url": "https://ubuntu.com/security/CVE-2025-38126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38127", "url": "https://ubuntu.com/security/CVE-2025-38127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: fix Tx scheduler error handling in XDP callback When the XDP program is loaded, the XDP callback adds new Tx queues. This means that the callback must update the Tx scheduler with the new queue number. In the event of a Tx scheduler failure, the XDP callback should also fail and roll back any changes previously made for XDP preparation. The previous implementation had a bug that not all changes made by the XDP callback were rolled back. This caused the crash with the following call trace: [ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5 [ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI [ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary) [ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 [ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice] [...] [ +0.002715] Call Trace: [ +0.002452] [ +0.002021] ? __die_body.cold+0x19/0x29 [ +0.003922] ? die_addr+0x3c/0x60 [ +0.003319] ? exc_general_protection+0x17c/0x400 [ +0.004707] ? asm_exc_general_protection+0x26/0x30 [ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice] [ +0.004835] ice_napi_poll+0x665/0x680 [ice] [ +0.004320] __napi_poll+0x28/0x190 [ +0.003500] net_rx_action+0x198/0x360 [ +0.003752] ? update_rq_clock+0x39/0x220 [ +0.004013] handle_softirqs+0xf1/0x340 [ +0.003840] ? sched_clock_cpu+0xf/0x1f0 [ +0.003925] __irq_exit_rcu+0xc2/0xe0 [ +0.003665] common_interrupt+0x85/0xa0 [ +0.003839] [ +0.002098] [ +0.002106] asm_common_interrupt+0x26/0x40 [ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690 Fix this by performing the missing unmapping of XDP queues from q_vectors and setting the XDP rings pointer back to NULL after all those queues are released. Also, add an immediate exit from the XDP callback in case of ring preparation failure.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38129", "url": "https://ubuntu.com/security/CVE-2025-38129", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool \t\t\t\tpage_pool_release \t\t\t\t page_pool_scrub \t\t\t\t page_pool_empty_ring \t\t\t\t ptr_ring_consume \t\t\t\t page_pool_return_page //release all page \t\t\t\t __page_pool_destroy \t\t\t\t free_percpu(pool->recycle_stats); \t\t\t\t free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38131", "url": "https://ubuntu.com/security/CVE-2025-38131", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() unload module // access to config_desc which freed // while unloading module. cscfg_csdev_enable_config To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38274", "url": "https://ubuntu.com/security/CVE-2025-38274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt using kunit_kzalloc() however it does not check if the allocation failed. It then passes sgt to sg_alloc_table(), which passes it to __sg_alloc_table(). This function calls memset() on sgt in an attempt to zero it out. If the allocation fails then sgt will be NULL and the memset will trigger a NULL pointer dereference. Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38134", "url": "https://ubuntu.com/security/CVE-2025-38134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() As demonstrated by the fix for update_port_device_state, commit 12783c0b9e2c (\"usb: core: Prevent null pointer dereference in update_port_device_state\"), usb_hub_to_struct_hub() can return NULL in certain scenarios, such as during hub driver unbind or teardown race conditions, even if the underlying usb_device structure exists. Plus, all other places that call usb_hub_to_struct_hub() in the same file do check for NULL return values. If usb_hub_to_struct_hub() returns NULL, the subsequent access to hub->ports[udev->portnum - 1] will cause a null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38135", "url": "https://ubuntu.com/security/CVE-2025-38135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38136", "url": "https://ubuntu.com/security/CVE-2025-38136", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_clock_ctrl() usbhs_bset() usbhs_write() iowrite16() <-- Register access before enabling clocks Since `iowrite16()` is performed without ensuring the required clocks are enabled, this can lead to access errors. To fix this, enable PM runtime early in the probe function and ensure clocks are acquired before register access, preventing crashes like the following on RZ/V2H: [13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP [13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 [13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 [13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) [13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] [13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] [13.321138] sp : ffff8000827e3850 [13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 [13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 [13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 [13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff [13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce [13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 [13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 [13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c [13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 [13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 [13.395574] Call trace: [13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) [13.403076] platform_probe+0x68/0xdc [13.406738] really_probe+0xbc/0x2c0 [13.410306] __driver_probe_device+0x78/0x120 [13.414653] driver_probe_device+0x3c/0x154 [13.418825] __driver_attach+0x90/0x1a0 [13.422647] bus_for_each_dev+0x7c/0xe0 [13.426470] driver_attach+0x24/0x30 [13.430032] bus_add_driver+0xe4/0x208 [13.433766] driver_register+0x68/0x130 [13.437587] __platform_driver_register+0x24/0x30 [13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] [13.448450] do_one_initcall+0x60/0x1d4 [13.452276] do_init_module+0x54/0x1f8 [13.456014] load_module+0x1754/0x1c98 [13.459750] init_module_from_file+0x88/0xcc [13.464004] __arm64_sys_finit_module+0x1c4/0x328 [13.468689] invoke_syscall+0x48/0x104 [13.472426] el0_svc_common.constprop.0+0xc0/0xe0 [13.477113] do_el0_svc+0x1c/0x28 [13.480415] el0_svc+0x30/0xcc [13.483460] el0t_64_sync_handler+0x10c/0x138 [13.487800] el0t_64_sync+0x198/0x19c [13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) [13.497522] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38138", "url": "https://ubuntu.com/security/CVE-2025-38138", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: Add NULL check in udma_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, udma_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38275", "url": "https://ubuntu.com/security/CVE-2025-38275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and lead to an invalid dereference. Fix the issue by checking if devm_ioremap() returns NULL. When it does, qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), ensuring safe and consistent error handling.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38141", "url": "https://ubuntu.com/security/CVE-2025-38141", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix dm_blk_report_zones If dm_get_live_table() returned NULL, dm_put_live_table() was never called. Also, it is possible that md->zone_revalidate_map will change while calling this function. Only read it once, so that we are always using the same value. Otherwise we might miss a call to dm_put_live_table(). Finally, while md->zone_revalidate_map is set and a process is calling blk_revalidate_disk_zones() to set up the zone append emulation resources, it is possible that another process, perhaps triggered by blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If blk_revalidate_disk_zones() fails, these resources can be freed while the other process is still using them, causing a use-after-free error. blk_revalidate_disk_zones() will only ever be called when initially setting up the zone append emulation resources, such as when setting up a zoned dm-crypt table for the first time. Further table swaps will not set md->zone_revalidate_map or call blk_revalidate_disk_zones(). However it must be called using the new table (referenced by md->zone_revalidate_map) and the new queue limits while the DM device is suspended. dm_blk_report_zones() needs some way to distinguish between a call from blk_revalidate_disk_zones(), which must be allowed to use md->zone_revalidate_map to access this not yet activated table, and all other calls to dm_blk_report_zones(), which should not be allowed while the device is suspended and cannot use md->zone_revalidate_map, since the zone resources might be freed by the process currently calling blk_revalidate_disk_zones(). Solve this by tracking the process that sets md->zone_revalidate_map in dm_revalidate_zones() and only allowing that process to make use of it in dm_blk_report_zones().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38142", "url": "https://ubuntu.com/security/CVE-2025-38142", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) check sensor index in read_string() Prevent a potential invalid memory access when the requested sensor is not found. find_ec_sensor_index() may return a negative value (e.g. -ENOENT), but its result was used without checking, which could lead to undefined behavior when passed to get_sensor_info(). Add a proper check to return -EINVAL if sensor_index is negative. Found by Linux Verification Center (linuxtesting.org) with SVACE. [groeck: Return error code returned from find_ec_sensor_index]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38277", "url": "https://ubuntu.com/security/CVE-2025-38277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user space or kernel crashes. This scenario can be triggered in edge cases such as misconfigured geometry, ECC engine misuse, or if ctx->steps is not validated after initialization. Initialize ret to zero before the loop to ensure correct and safe behavior regardless of the ctx->steps value. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38143", "url": "https://ubuntu.com/security/CVE-2025-38143", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently, wled_configure() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38312", "url": "https://ubuntu.com/security/CVE-2025-38312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38145", "url": "https://ubuntu.com/security/CVE-2025-38145", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. [arj: Fix Fixes: tag to use subject from 3772e5da4454]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38313", "url": "https://ubuntu.com/security/CVE-2025-38313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to one of its fields. In this circumstance, on the error path only the mc_bus should be freed. This commit introduces back the following checkpatch warning which is a false-positive. WARNING: kfree(NULL) is safe and this check is probably not required + if (mc_bus) + kfree(mc_bus);", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38415", "url": "https://ubuntu.com/security/CVE-2025-38415", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an \"UBSAN: shift-out-of-bounds in squashfs_bio_read\" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl(\"/dev/loop0\", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails. ---- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize); ---- sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64. This subsequently causes the UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') This commit adds a check for a 0 return by sb_min_blocksize().", "cve_priority": "medium", "cve_public_date": "2025-07-25 14:15:00 UTC" }, { "cve": "CVE-2025-38146", "url": "https://ubuntu.com/security/CVE-2025-38146", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead loop of MPLS parse The unexpected MPLS packet may not end with the bottom label stack. When there are many stacks, The label count value has wrapped around. A dead loop occurs, soft lockup/CPU stuck finally. stack backtrace: UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 index -1 is out of range for type '__be32 [3]' CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 Call Trace: show_stack+0x52/0x5c dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x36 __ubsan_handle_out_of_bounds.cold+0x44/0x49 key_extract_l3l4+0x82a/0x840 [openvswitch] ? kfree_skbmem+0x52/0xa0 key_extract+0x9c/0x2b0 [openvswitch] ovs_flow_key_extract+0x124/0x350 [openvswitch] ovs_vport_receive+0x61/0xd0 [openvswitch] ? kernel_init_free_pages.part.0+0x4a/0x70 ? get_page_from_freelist+0x353/0x540 netdev_port_receive+0xc4/0x180 [openvswitch] ? netdev_port_receive+0x180/0x180 [openvswitch] netdev_frame_hook+0x1f/0x40 [openvswitch] __netif_receive_skb_core.constprop.0+0x23a/0xf00 __netif_receive_skb_list_core+0xfa/0x240 netif_receive_skb_list_internal+0x18e/0x2a0 napi_complete_done+0x7a/0x1c0 bnxt_poll+0x155/0x1c0 [bnxt_en] __napi_poll+0x30/0x180 net_rx_action+0x126/0x280 ? bnxt_msix+0x67/0x80 [bnxt_en] handle_softirqs+0xda/0x2d0 irq_exit_rcu+0x96/0xc0 common_interrupt+0x8e/0xa0 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38147", "url": "https://ubuntu.com/security/CVE-2025-38147", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switches branches based on struct sockaddr.sa_family, which is passed from userspace. However, netlbl_conn_setattr() does not check if the address family matches the socket. The syzkaller must have called connect() for an IPv6 address on an IPv4 socket. We have a proper validation in tcp_v[46]_connect(), but security_socket_connect() is called in the earlier stage. Let's copy the validation to netlbl_conn_setattr(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 security_socket_connect+0x50/0xa0 security/security.c:4598 __sys_connect_file+0xa4/0x190 net/socket.c:2067 __sys_connect+0x12c/0x170 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38278", "url": "https://ubuntu.com/security/CVE-2025-38278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback This patch addresses below issues, 1. Active traffic on the leaf node must be stopped before its send queue is reassigned to the parent. This patch resolves the issue by marking the node as 'Inner'. 2. During a system reboot, the interface receives TC_HTB_LEAF_DEL and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues. In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue is reassigned to the parent, the current logic still attempts to update the real number of queues, leadning to below warnings New queues can't be registered after device unregistration. WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714 netdev_queue_update_kobjects+0x1e4/0x200", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38148", "url": "https://ubuntu.com/security/CVE-2025-38148", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: mscc: Fix memory leak when using one step timestamping Fix memory leak when running one-step timestamping. When running one-step sync timestamping, the HW is configured to insert the TX time into the frame, so there is no reason to keep the skb anymore. As in this case the HW will never generate an interrupt to say that the frame was timestamped, then the frame will never released. Fix this by freeing the frame in case of one-step timestamping.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38149", "url": "https://ubuntu.com/security/CVE-2025-38149", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phy_attach_direct() fails before calling device_link_add(), the code jumps to the \"error\" label and calls phy_detach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, device_link_del() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows. [ 24.702421] Call trace: [ 24.704856] device_link_put_kref+0x20/0x120 [ 24.709124] device_link_del+0x30/0x48 [ 24.712864] phy_detach+0x24/0x168 [ 24.716261] phy_attach_direct+0x168/0x3a4 [ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c [ 24.725140] phylink_of_phy_connect+0x1c/0x34 Therefore, phydev->devlink needs to be cleared when the device link is deleted.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38280", "url": "https://ubuntu.com/security/CVE-2025-38280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Modules linked in: CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 ... When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, but jit failed due to FAULT_INJECTION. As a result, incorrectly treats the program as valid, when the program runs it calls `__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38151", "url": "https://ubuntu.com/security/CVE-2025-38151", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work item currently in the work queue. However, it left a problem when queue_work fails (because the item is still pending in the work queue from a previous call). In this case, cma_id_put (which is called in the work handler) is therefore not called. This results in a userspace process hang (zombie process). Fix this by calling cma_id_put() if queue_work fails.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38153", "url": "https://ubuntu.com/security/CVE-2025-38153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error handling of usbnet read calls Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\"). For instance, usbnet_read_cmd() may read fewer than 'size' bytes, even if the caller expected the full amount, and aqc111_read_cmd() will not check its result properly. As [1] shows, this may lead to MAC address in aqc111_bind() being only partly initialized, triggering KMSAN warnings. Fix the issue by verifying that the number of bytes read is as expected and not less. [1] Partial syzbot report: BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 is_valid_ether_addr include/linux/etherdevice.h:208 [inline] usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x4d1/0xd90 drivers/base/dd.c:658 __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 ... Uninit was stored to memory at: dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 __dev_addr_set include/linux/netdevice.h:4874 [inline] eth_hw_addr_set include/linux/etherdevice.h:325 [inline] aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 ... Uninit was stored to memory at: ether_addr_copy include/linux/etherdevice.h:305 [inline] aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] ... Local variable buf.i created at: aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38154", "url": "https://ubuntu.com/security/CVE-2025-38154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. Race conditions: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops->release() -> sock_map_close() sk_socket->ops = NULL free(socket) sock->ops->sendmsg ^ panic here ''' The ref of psock become 0 after sock_map_close() executed. ''' void sock_map_close() { ... if (likely(psock)) { ... // !! here we remove psock and the ref of psock become 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; <=== Control jumps here via goto ... cancel_delayed_work_sync(&psock->work); <=== not executed sk_psock_put(sk, psock); ... } ''' Based on the fact that we already wait for the workqueue to finish in sock_map_close() if psock is held, we simply increase the psock reference count to avoid race conditions. With this patch, if the backlog thread is running, sock_map_close() will wait for the backlog thread to complete and cancel all pending work. If no backlog running, any pending work that hasn't started by then will fail when invoked by sk_psock_get(), as the psock reference count have been zeroed, and sk_psock_drop() will cancel all jobs via cancel_delayed_work_sync(). In summary, we require synchronization to coordinate the backlog thread and close() thread. The panic I catched: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... '''", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38315", "url": "https://ubuntu.com/security/CVE-2025-38315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38155", "url": "https://ubuntu.com/security/CVE-2025-38155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7915_mmio_wed_init().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38156", "url": "https://ubuntu.com/security/CVE-2025-38156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7996_mmio_wed_init()", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38282", "url": "https://ubuntu.com/security/CVE-2025-38282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak -- callers don't use it afterwards but it's important for proper pairing of kn->active counting. Assuming this mechanism is in place, the WARN check in kernfs_should_drain_open_files() is too sensitive -- it may transiently catch those (rightful) callers between kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen Ridong: \tkernfs_remove_by_name_ns\tkernfs_get_active // active=1 \t__kernfs_remove\t\t\t\t\t // active=0x80000002 \tkernfs_drain\t\t\t... \twait_event \t//waiting (active == 0x80000001) \t\t\t\t\tkernfs_break_active_protection \t\t\t\t\t// active = 0x80000001 \t// continue \t\t\t\t\tkernfs_unbreak_active_protection \t\t\t\t\t// active = 0x80000002 \t... \tkernfs_should_drain_open_files \t// warning occurs \t\t\t\t\tkernfs_put_active To avoid the false positives (mind panic_on_warn) remove the check altogether. (This is meant as quick fix, I think active reference break/unbreak may be simplified with larger rework.)", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38157", "url": "https://ubuntu.com/security/CVE-2025-38157", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38283", "url": "https://ubuntu.com/security/CVE-2025-38283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt to perform device data migration, the address of the migrated data will be NULL. The live migration recovery operation on the destination side will access a null address value, which will cause access errors. Therefore, live migration of VMs without added VF device drivers does not require device data migration. In addition, when the queue address data obtained by the destination is empty, device queue recovery processing will not be performed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38158", "url": "https://ubuntu.com/security/CVE-2025-38158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration and results in guest kernel-mode encryption services failure. Comparing the definition of hardware registers, we found that there was an error when the data read from the register was combined into an address. Therefore, the address combination sequence needs to be corrected. Even after fixing the above problem, we still have an issue where the Guest from an old kernel can get migrated to new kernel and may result in wrong data. In order to ensure that the address is correct after migration, if an old magic number is detected, the dma address needs to be updated.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38159", "url": "https://ubuntu.com/security/CVE-2025-38159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38285", "url": "https://ubuntu.com/security/CVE-2025-38285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 Modules linked in: CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:204 [inline] stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 Tracepoint like trace_mmap_lock_acquire_returned may cause nested call as the corner case show above, which will be resolved with more general method in the future. As a result, WARN_ON_ONCE will be triggered. As Alexei suggested, remove the WARN_ON_ONCE first.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38286", "url": "https://ubuntu.com/security/CVE-2025-38286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38160", "url": "https://ubuntu.com/security/CVE-2025-38160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, raspberrypi_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38161", "url": "https://ubuntu.com/security/CVE-2025-38161", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x148 lr : refcount_warn_saturate+0xf4/0x148 sp : ffff80008b81b7e0 x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 Call trace: refcount_warn_saturate+0xf4/0x148 mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] ib_destroy_wq_user+0x30/0xc0 [ib_core] uverbs_free_wq+0x28/0x58 [ib_uverbs] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] ib_uverbs_close+0x2c/0x100 [ib_uverbs] __fput+0xd8/0x2f0 __fput_sync+0x50/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall.constprop.0+0x74/0xd0 do_el0_svc+0x48/0xe8 el0_svc+0x44/0x1d0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x1a4/0x1a8", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38162", "url": "https://ubuntu.com/security/CVE-2025-38162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38288", "url": "https://ubuntu.com/security/CVE-2025-38288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels Correct kernel call trace when calling smp_processor_id() when called in preemptible kernels by using raw_smp_processor_id(). smp_processor_id() checks to see if preemption is disabled and if not, issue an error message followed by a call to dump_stack(). Brief example of call trace: kernel: check_preemption_disabled: 436 callbacks suppressed kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u1025:0/2354 kernel: caller is pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: CPU: 129 PID: 2354 Comm: kworker/u1025:0 kernel: ... kernel: Workqueue: writeback wb_workfn (flush-253:0) kernel: Call Trace: kernel: kernel: dump_stack_lvl+0x34/0x48 kernel: check_preemption_disabled+0xdd/0xe0 kernel: pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: ...", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38290", "url": "https://ubuntu.com/security/CVE-2025-38290", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the \"arvifs\" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head \"arvifs\", but the next of the list head \"arvifs\" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head \"arvifs\" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute normally. Call trace: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38292", "url": "https://ubuntu.com/security/CVE-2025-38292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38163", "url": "https://ubuntu.com/security/CVE-2025-38163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 notify_change+0xbca/0xe90 fs/attr.c:552 do_truncate+0x222/0x310 fs/open.c:65 handle_truncate fs/namei.c:3466 [inline] do_open fs/namei.c:3849 [inline] path_openat+0x2e4f/0x35d0 fs/namei.c:4004 do_filp_open+0x284/0x4e0 fs/namei.c:4031 do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 do_sys_open fs/open.c:1444 [inline] __do_sys_creat fs/open.c:1522 [inline] __se_sys_creat fs/open.c:1516 [inline] __x64_sys_creat+0x124/0x170 fs/open.c:1516 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 The reason is: in fuzzed image, sbi->total_valid_block_count is inconsistent w/ mapped blocks indexed by inode, so, we should not trigger panic for such case, instead, let's print log and set fsck flag.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38317", "url": "https://ubuntu.com/security/CVE-2025-38317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix buffer overflow in debugfs If the user tries to write more than 32 bytes then it results in memory corruption. Fortunately, this is debugfs so it's limited to root users.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38164", "url": "https://ubuntu.com/security/CVE-2025-38164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: zone: fix to avoid inconsistence in between SIT and SSA w/ below testcase, it will cause inconsistence in between SIT and SSA. create_null_blk 512 2 1024 1024 mkfs.f2fs -m /dev/nullb0 mount /dev/nullb0 /mnt/f2fs/ touch /mnt/f2fs/file f2fs_io pinfile set /mnt/f2fs/file fallocate -l 4GiB /mnt/f2fs/file F2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT CPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84 Tainted: [O]=OOT_MODULE Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 Call Trace: dump_stack_lvl+0xb3/0xd0 dump_stack+0x14/0x20 f2fs_handle_critical_error+0x18c/0x220 [f2fs] f2fs_stop_checkpoint+0x38/0x50 [f2fs] do_garbage_collect+0x674/0x6e0 [f2fs] f2fs_gc_range+0x12b/0x230 [f2fs] f2fs_allocate_pinning_section+0x5c/0x150 [f2fs] f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs] f2fs_fallocate+0x3c3/0x410 [f2fs] vfs_fallocate+0x15f/0x4b0 __x64_sys_fallocate+0x4a/0x80 x64_sys_call+0x15e8/0x1b80 do_syscall_64+0x68/0x130 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f9dba5197ca F2FS-fs (nullb0): Stopped filesystem due to reason: 4 The reason is f2fs_gc_range() may try to migrate block in curseg, however, its SSA block is not uptodate due to the last summary block data is still in cache of curseg. In this patch, we add a condition in f2fs_gc_range() to check whether section is opened or not, and skip block migration for opened section.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38165", "url": "https://ubuntu.com/security/CVE-2025-38165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix panic when calling skb_linearize The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events sk_psock_backlog ... [ 657.469610] [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? do_trap+0x1d0/0x270 [ 657.470118] ? pskb_expand_head+0x612/0xf40 [ 657.470376] ? pskb_expand_head+0x612/0xf40 [ 657.470620] ? do_error_trap+0xa3/0x170 [ 657.470846] ? pskb_expand_head+0x612/0xf40 [ 657.471092] ? handle_invalid_op+0x2c/0x40 [ 657.471335] ? pskb_expand_head+0x612/0xf40 [ 657.471579] ? exc_invalid_op+0x2d/0x40 [ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 [ 657.472052] ? pskb_expand_head+0xd1/0xf40 [ 657.472292] ? pskb_expand_head+0x612/0xf40 [ 657.472540] ? lock_acquire+0x18f/0x4e0 [ 657.472766] ? find_held_lock+0x2d/0x110 [ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 [ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 [ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 [ 657.473826] __pskb_pull_tail+0xfd/0x1d20 [ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 [ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 [ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 [ 657.476010] sk_psock_backlog+0x5cf/0xd70 [ 657.476637] process_one_work+0x858/0x1a20 ''' The panic originates from the assertion BUG_ON(skb_shared(skb)) in skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed. The \"--rx-strp 100000\" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. ''' sk_psock_backlog: sk_psock_handle_skb skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' sk_psock_skb_ingress____________ ↓ | | → sk_psock_skb_ingress_self | sk_psock_skb_ingress_enqueue sk_psock_verdict_apply_________________↑ skb_linearize ''' Note that for verdict_apply path, the skb_get operation is unnecessary so we add 'take_ref' param to control it's behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38166", "url": "https://ubuntu.com/security/CVE-2025-38166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov_iter_revert+0x178/0x180 [ 2172.946031] ? iov_iter_revert+0x178/0x180 [ 2172.946267] ? do_error_trap+0x7d/0x110 [ 2172.946499] ? iov_iter_revert+0x178/0x180 [ 2172.946736] ? exc_invalid_op+0x50/0x70 [ 2172.946961] ? iov_iter_revert+0x178/0x180 [ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 [ 2172.947446] ? iov_iter_revert+0x178/0x180 [ 2172.947683] ? iov_iter_revert+0x5c/0x180 [ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 [ 2172.948206] tls_sw_sendmsg+0x52/0x80 [ 2172.948420] ? inet_sendmsg+0x1f/0x70 [ 2172.948634] __sys_sendto+0x1cd/0x200 [ 2172.948848] ? find_held_lock+0x2b/0x80 [ 2172.949072] ? syscall_trace_enter+0x140/0x270 [ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 [ 2172.949595] ? find_held_lock+0x2b/0x80 [ 2172.949817] ? syscall_trace_enter+0x140/0x270 [ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 [ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 [ 2172.951036] __x64_sys_sendto+0x24/0x30 [ 2172.951382] do_syscall_64+0x90/0x170 ...... After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, e.g., when the BPF program executes bpf_msg_push_data(). If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, it will return -ENOSPC and attempt to roll back to the non-zero copy logic. However, during rollback, msg->msg_iter is reset, but since msg_pl->sg.size has been increased, subsequent executions will exceed the actual size of msg_iter. ''' iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); ''' The changes in this commit are based on the following considerations: 1. When cork_bytes is set, rolling back to non-zero copy logic is pointless and can directly go to zero-copy logic. 2. We can not calculate the correct number of bytes to revert msg_iter. Assume the original data is \"abcdefgh\" (8 bytes), and after 3 pushes by the BPF program, it becomes 11-byte data: \"abc?de?fgh?\". Then, we set cork_bytes to 6, which means the first 6 bytes have been processed, and the remaining 5 bytes \"?fgh?\" will be cached until the length meets the cork_bytes requirement. However, some data in \"?fgh?\" is not within 'sg->msg_iter' (but in msg_pl instead), especially the data \"?\" we pushed. So it doesn't seem as simple as just reverting through an offset of msg_iter. 3. For non-TLS sockets in tcp_bpf_sendmsg, when a \"cork\" situation occurs, the user-space send() doesn't return an error, and the returned length is the same as the input length parameter, even if some data is cached. Additionally, I saw that the current non-zero-copy logic for handling corking is written as: ''' line 1177 else if (ret != -EAGAIN) { \tif (ret == -ENOSPC) \t\tret = 0; \tgoto send_end; ''' So it's ok to just return 'copied' without error when a \"cork\" situation occurs.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38293", "url": "https://ubuntu.com/security/CVE-2025-38293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the \"arvifs\" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head \"arvifs\", but the next of the list head \"arvifs\" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath11k_mac_op_remove_interface(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head \"arvifs\" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath11k_mac_op_remove_interface() can execute normally. Call trace: __list_del_entry_valid_or_report+0xb8/0xd0 ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] drv_remove_interface+0x48/0x194 [mac80211] ieee80211_do_stop+0x6e0/0x844 [mac80211] ieee80211_stop+0x44/0x17c [mac80211] __dev_close_many+0xac/0x150 __dev_change_flags+0x194/0x234 dev_change_flags+0x24/0x6c devinet_ioctl+0x3a0/0x670 inet_ioctl+0x200/0x248 sock_do_ioctl+0x60/0x118 sock_ioctl+0x274/0x35c __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x114 ... Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38295", "url": "https://ubuntu.com/security/CVE-2025-38295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses smp_processor_id(), which assumes disabled preemption. This leads to kernel warnings during module loading because meson_ddr_pmu_create() can be called in a preemptible context. Following kernel warning and stack trace: [ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289 [ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38 [ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0 [ 31.745181] [ T2289] Tainted: [W]=WARN [ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT) [ 31.745188] [ T2289] Call trace: [ 31.745191] [ T2289] show_stack+0x28/0x40 (C) [ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198 [ 31.745205] [ T2289] dump_stack+0x20/0x50 [ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0 [ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38 [ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745246] [ T2289] platform_probe+0x98/0xe0 [ 31.745254] [ T2289] really_probe+0x144/0x3f8 [ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180 [ 31.745261] [ T2289] driver_probe_device+0x54/0x268 [ 31.745264] [ T2289] __driver_attach+0x11c/0x288 [ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160 [ 31.745274] [ T2289] driver_attach+0x34/0x50 [ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0 [ 31.745281] [ T2289] driver_register+0x78/0x120 [ 31.745285] [ T2289] __platform_driver_register+0x30/0x48 [ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745298] [ T2289] do_one_initcall+0x11c/0x438 [ 31.745303] [ T2289] do_init_module+0x68/0x228 [ 31.745311] [ T2289] load_module+0x118c/0x13a8 [ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390 [ 31.745320] [ T2289] invoke_syscall+0x74/0x108 [ 31.745326] [ T2289] el0_svc_common+0x90/0xf8 [ 31.745330] [ T2289] do_el0_svc+0x2c/0x48 [ 31.745333] [ T2289] el0_svc+0x60/0x150 [ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118 [ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0 Changes replaces smp_processor_id() with raw_smp_processor_id() to ensure safe CPU ID retrieval in preemptible contexts.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38167", "url": "https://ubuntu.com/security/CVE-2025-38167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle hdr_first_de() return value The hdr_first_de() function returns a pointer to a struct NTFS_DE. This pointer may be NULL. To handle the NULL error effectively, it is important to implement an error handler. This will help manage potential errors consistently. Additionally, error handling for the return value already exists at other points where this function is called. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38318", "url": "https://ubuntu.com/security/CVE-2025-38318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Fix missing platform_set_drvdata() Add missing platform_set_drvdata in arm_ni_probe(), otherwise calling platform_get_drvdata() in remove returns NULL.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38168", "url": "https://ubuntu.com/security/CVE-2025-38168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device, we need to properly roll back all previously registered perf PMUs in other clock domains of the same device. Otherwise, it can lead to kernel panics. Calling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374 arm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000 arm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16 list_add corruption: next->prev should be prev (fffffd01e9698a18), but was 0000000000000000. (next=ffff10001a0decc8). pstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : list_add_valid_or_report+0x7c/0xb8 lr : list_add_valid_or_report+0x7c/0xb8 Call trace: __list_add_valid_or_report+0x7c/0xb8 perf_pmu_register+0x22c/0x3a0 arm_ni_probe+0x554/0x70c [arm_ni] platform_probe+0x70/0xe8 really_probe+0xc6/0x4d8 driver_probe_device+0x48/0x170 __driver_attach+0x8e/0x1c0 bus_for_each_dev+0x64/0xf0 driver_add+0x138/0x260 bus_add_driver+0x68/0x138 __platform_driver_register+0x2c/0x40 arm_ni_init+0x14/0x2a [arm_ni] do_init_module+0x36/0x298 ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38169", "url": "https://ubuntu.com/security/CVE-2025-38169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP On system with SME, a thread's kernel FPSIMD state may be erroneously clobbered during a context switch immediately after that state is restored. Systems without SME are unaffected. If the CPU happens to be in streaming SVE mode before a context switch to a thread with kernel FPSIMD state, fpsimd_thread_switch() will restore the kernel FPSIMD state using fpsimd_load_kernel_state() while the CPU is still in streaming SVE mode. When fpsimd_thread_switch() subsequently calls fpsimd_flush_cpu_state(), this will execute an SMSTOP, causing an exit from streaming SVE mode. The exit from streaming SVE mode will cause the hardware to reset a number of FPSIMD/SVE/SME registers, clobbering the FPSIMD state. Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel FPSIMD state.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38170", "url": "https://ubuntu.com/security/CVE-2025-38170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38319", "url": "https://ubuntu.com/security/CVE-2025-38319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve vram_info, it returns NULL which is later dereferenced.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38297", "url": "https://ubuntu.com/security/CVE-2025-38297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix potential division-by-zero error in em_compute_costs() When the device is of a non-CPU type, table[i].performance won't be initialized in the previous em_init_performance(), resulting in division by zero when calculating costs in em_compute_costs(). Since the 'cost' algorithm is only used for EAS energy efficiency calculations and is currently not utilized by other device drivers, we should add the _is_cpu_device(dev) check to prevent this division-by-zero issue.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38298", "url": "https://ubuntu.com/security/CVE-2025-38298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: EDAC/skx_common: Fix general protection fault After loading i10nm_edac (which automatically loads skx_edac_common), if unload only i10nm_edac, then reload it and perform error injection testing, a general protection fault may occur: mce: [Hardware Error]: Machine check events logged Oops: general protection fault ... ... Workqueue: events mce_gen_pool_process RIP: 0010:string+0x53/0xe0 ... Call Trace: ? die_addr+0x37/0x90 ? exc_general_protection+0x1e7/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? string+0x53/0xe0 vsnprintf+0x23e/0x4c0 snprintf+0x4d/0x70 skx_adxl_decode+0x16a/0x330 [skx_edac_common] skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] skx_mce_check_error+0x17/0x20 [skx_edac_common] ... The issue arose was because the variable 'adxl_component_count' (inside skx_edac_common), which counts the ADXL components, was not reset. During the reloading of i10nm_edac, the count was incremented by the actual number of ADXL components again, resulting in a count that was double the real number of ADXL components. This led to an out-of-bounds reference to the ADXL component array, causing the general protection fault above. Fix this issue by resetting the 'adxl_component_count' in adxl_put(), which is called during the unloading of {skx,i10nm}_edac.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38299", "url": "https://ubuntu.com/security/CVE-2025-38299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null. Avoid a crash if the device tree is not assigning a codec to these links. [ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 1.181065] Mem abort info: [ 1.181420] ESR = 0x0000000096000004 [ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.182576] SET = 0, FnV = 0 [ 1.182964] EA = 0, S1PTW = 0 [ 1.183367] FSC = 0x04: level 0 translation fault [ 1.183983] Data abort info: [ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1.186439] [0000000000000000] user address but active_mm is swapper [ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 1.188029] Modules linked in: [ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85 [ 1.189515] Hardware name: Radxa NIO 12L (DT) [ 1.190065] Workqueue: events_unbound deferred_probe_work_func [ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1.191683] pc : __pi_strcmp+0x24/0x140 [ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0 [ 1.192854] sp : ffff800083473970 [ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002 [ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88 [ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8 [ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff [ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006 [ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374 [ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018 [ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 [ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d [ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000 [ 1.202236] Call trace: [ 1.202545] __pi_strcmp+0x24/0x140 (P) [ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8 [ 1.203644] platform_probe+0x70/0xe8 [ 1.204106] really_probe+0xc8/0x3a0 [ 1.204556] __driver_probe_device+0x84/0x160 [ 1.205104] driver_probe_device+0x44/0x130 [ 1.205630] __device_attach_driver+0xc4/0x170 [ 1.206189] bus_for_each_drv+0x8c/0xf8 [ 1.206672] __device_attach+0xa8/0x1c8 [ 1.207155] device_initial_probe+0x1c/0x30 [ 1.207681] bus_probe_device+0xb0/0xc0 [ 1.208165] deferred_probe_work_func+0xa4/0x100 [ 1.208747] process_one_work+0x158/0x3e0 [ 1.209254] worker_thread+0x2c4/0x3e8 [ 1.209727] kthread+0x134/0x1f0 [ 1.210136] ret_from_fork+0x10/0x20 [ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402) [ 1.211355] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38172", "url": "https://ubuntu.com/security/CVE-2025-38172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid using multiple devices with different type For multiple devices, both primary and extra devices should be the same type. `erofs_init_device` has already guaranteed that if the primary is a file-backed device, extra devices should also be regular files. However, if the primary is a block device while the extra device is a file-backed device, `erofs_init_device` will get an ENOTBLK, which is not treated as an error in `erofs_fc_get_tree`, and that leads to an UAF: erofs_fc_get_tree get_tree_bdev_flags(erofs_fc_fill_super) erofs_read_superblock erofs_init_device // sbi->dif0 is not inited yet, // return -ENOTBLK deactivate_locked_super free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filp_open() // sbi UAF So if -ENOTBLK is hitted in `erofs_init_device`, it means the primary device must be a block device, and the extra device is not a block device. The error can be converted to -EINVAL.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38173", "url": "https://ubuntu.com/security/CVE-2025-38173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38300", "url": "https://ubuntu.com/security/CVE-2025-38300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the \"theend_sgs\" error path, call dma unmap only if the corresponding dma map was successful. 2] If the dma_map_single() call for the IV fails, the device driver would try to free an invalid DMA memory address on the \"theend_iv\" path: ------------[ cut here ]------------ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 Modules linked in: skcipher_example(O+) CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT Tainted: [O]=OOT_MODULE Hardware name: OrangePi Zero2 (DT) pc : check_unmap+0x123c/0x1b90 lr : check_unmap+0x123c/0x1b90 ... Call trace: check_unmap+0x123c/0x1b90 (P) debug_dma_unmap_page+0xac/0xc0 dma_unmap_page_attrs+0x1f4/0x5fc sun8i_ce_cipher_do_one+0x1bd4/0x1f40 crypto_pump_work+0x334/0x6e0 kthread_worker_fn+0x21c/0x438 kthread+0x374/0x664 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- To fix this, check for !dma_mapping_error() before calling dma_unmap_single() on the \"theend_iv\" path.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38174", "url": "https://ubuntu.com/security/CVE-2025-38174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace: ? tb_cfg_request_dequeue+0x2d/0xa0 tb_cfg_request_work+0x33/0x80 worker_thread+0x386/0x8f0 kthread+0xed/0x110 ret_from_fork+0x38/0x50 ret_from_fork_asm+0x1b/0x30 The circumstances are unclear, however, the theory is that tb_cfg_request_work() can be scheduled twice for a request: first time via frame.callback from ring_work() and second time from tb_cfg_request(). Both times kworkers will execute tb_cfg_request_dequeue(), which results in double list_del() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122). Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE bit set.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38175", "url": "https://ubuntu.com/security/CVE-2025-38175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 (\"binderfs: fix use-after-free in binder_devices\") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed: ================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ================================================================== Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38176", "url": "https://ubuntu.com/security/CVE-2025-38176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in binderfs_evict_inode() Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699 CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: dump_stack_lvl+0x1c2/0x2a0 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 print_report+0x155/0x840 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 ? __phys_addr+0xba/0x170 ? binderfs_evict_inode+0x1de/0x2d0 kasan_report+0x147/0x180 ? binderfs_evict_inode+0x1de/0x2d0 binderfs_evict_inode+0x1de/0x2d0 ? __pfx_binderfs_evict_inode+0x10/0x10 evict+0x524/0x9f0 ? __pfx_lock_release+0x10/0x10 ? __pfx_evict+0x10/0x10 ? do_raw_spin_unlock+0x4d/0x210 ? _raw_spin_unlock+0x28/0x50 ? iput+0x697/0x9b0 __dentry_kill+0x209/0x660 ? shrink_kill+0x8d/0x2c0 shrink_kill+0xa9/0x2c0 shrink_dentry_list+0x2e0/0x5e0 shrink_dcache_parent+0xa2/0x2c0 ? __pfx_shrink_dcache_parent+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 do_one_tree+0x23/0xe0 shrink_dcache_for_umount+0xa0/0x170 generic_shutdown_super+0x67/0x390 kill_litter_super+0x76/0xb0 binderfs_kill_super+0x44/0x90 deactivate_locked_super+0xb9/0x130 cleanup_mnt+0x422/0x4c0 ? lockdep_hardirqs_on+0x9d/0x150 task_work_run+0x1d2/0x260 ? __pfx_task_work_run+0x10/0x10 resume_user_mode_work+0x52/0x60 syscall_exit_to_user_mode+0x9a/0x120 do_syscall_64+0x103/0x210 ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830 Allocated by task 1705: kasan_save_track+0x3e/0x80 __kasan_kmalloc+0x8f/0xa0 __kmalloc_cache_noprof+0x213/0x3e0 binderfs_binder_device_create+0x183/0xa80 binder_ctl_ioctl+0x138/0x190 __x64_sys_ioctl+0x120/0x1b0 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1705: kasan_save_track+0x3e/0x80 kasan_save_free_info+0x46/0x50 __kasan_slab_free+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 do_unlinkat+0x390/0x5b0 __x64_sys_unlink+0x47/0x50 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption. I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38265", "url": "https://ubuntu.com/security/CVE-2025-38265", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1 RIP: 0010:serial_base_ctrl_add+0x96/0x120 Call Trace: serial_core_register_port+0x1a0/0x580 ? __setup_irq+0x39c/0x660 ? __kmalloc_cache_noprof+0x111/0x310 jsm_uart_port_init+0xe8/0x180 [jsm] jsm_probe_one+0x1f4/0x410 [jsm] local_pci_probe+0x42/0x90 pci_device_probe+0x22f/0x270 really_probe+0xdb/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8c/0xe0 bus_add_driver+0x112/0x1f0 driver_register+0x72/0xd0 jsm_init_module+0x36/0xff0 [jsm] ? __pfx_jsm_init_module+0x10/0x10 [jsm] do_one_initcall+0x58/0x310 do_init_module+0x60/0x230 Tested with Digi Neo PCIe 8 port card.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38092", "url": "https://ubuntu.com/security/CVE-2025-38092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an invalid pointer. Use list_first_entry_or_null() to check if the list is empty.", "cve_priority": "medium", "cve_public_date": "2025-07-02 15:15:00 UTC" }, { "cve": "CVE-2025-38091", "url": "https://ubuntu.com/security/CVE-2025-38091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: check stream id dml21 wrapper to get plane_id [Why & How] Fix a false positive warning which occurs due to lack of correct checks when querying plane_id in DML21. This fixes the warning when performing a mode1 reset (cat /sys/kernel/debug/dri/1/amdgpu_gpu_recover): [ 35.751250] WARNING: CPU: 11 PID: 326 at /tmp/amd.PHpyAl7v/amd/amdgpu/../display/dc/dml2/dml2_dc_resource_mgmt.c:91 dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751434] Modules linked in: amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_ttm_helper ttm drm_display_helper cec rc_core i2c_algo_bit rfcomm qrtr cmac algif_hash algif_skcipher af_alg bnep amd_atl intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi snd_hda_intel edac_mce_amd snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_hda_core snd_hwdep snd_pcm kvm snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul polyval_clmulni polyval_generic btusb ghash_clmulni_intel sha256_ssse3 btrtl sha1_ssse3 snd_seq btintel aesni_intel btbcm btmtk snd_seq_device crypto_simd sunrpc cryptd bluetooth snd_timer ccp binfmt_misc rapl snd i2c_piix4 wmi_bmof gigabyte_wmi k10temp i2c_smbus soundcore gpio_amdpt mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igc ahci xhci_pci libahci xhci_pci_renesas video wmi [ 35.751501] CPU: 11 UID: 0 PID: 326 Comm: kworker/u64:9 Tainted: G OE 6.11.0-21-generic #21~24.04.1-Ubuntu [ 35.751504] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 35.751505] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F30 05/22/2024 [ 35.751506] Workqueue: amdgpu-reset-dev amdgpu_debugfs_reset_work [amdgpu] [ 35.751638] RIP: 0010:dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751794] Code: 6d 0c 00 00 8b 84 24 88 00 00 00 41 3b 44 9c 20 0f 84 fc 07 00 00 48 83 c3 01 48 83 fb 06 75 b3 4c 8b 64 24 68 4c 8b 6c 24 40 <0f> 0b b8 06 00 00 00 49 8b 94 24 a0 49 00 00 89 c3 83 f8 07 0f 87 [ 35.751796] RSP: 0018:ffffbfa3805d7680 EFLAGS: 00010246 [ 35.751798] RAX: 0000000000010000 RBX: 0000000000000006 RCX: 0000000000000000 [ 35.751799] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [ 35.751800] RBP: ffffbfa3805d78f0 R08: 0000000000000000 R09: 0000000000000000 [ 35.751801] R10: 0000000000000000 R11: 0000000000000000 R12: ffffbfa383249000 [ 35.751802] R13: ffffa0e68f280000 R14: ffffbfa383249658 R15: 0000000000000000 [ 35.751803] FS: 0000000000000000(0000) GS:ffffa0edbe580000(0000) knlGS:0000000000000000 [ 35.751804] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.751805] CR2: 00005d847ef96c58 CR3: 000000041de3e000 CR4: 0000000000f50ef0 [ 35.751806] PKRU: 55555554 [ 35.751807] Call Trace: [ 35.751810] [ 35.751816] ? show_regs+0x6c/0x80 [ 35.751820] ? __warn+0x88/0x140 [ 35.751822] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751964] ? report_bug+0x182/0x1b0 [ 35.751969] ? handle_bug+0x6e/0xb0 [ 35.751972] ? exc_invalid_op+0x18/0x80 [ 35.751974] ? asm_exc_invalid_op+0x1b/0x20 [ 35.751978] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.752117] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752256] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752260] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752400] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752403] ? math_pow+0x11/0xa0 [amdgpu] [ 35.752524] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752526] ? core_dcn4_mode_programming+0xe4d/0x20d0 [amdgpu] [ 35.752663] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752669] dml21_validate+0x3d4/0x980 [amdgpu] (cherry picked from commit f8ad62c0a93e5dd94243e10f1b742232e4d6411e)", "cve_priority": "medium", "cve_public_date": "2025-07-02 15:15:00 UTC" }, { "cve": "CVE-2025-38082", "url": "https://ubuntu.com/security/CVE-2025-38082", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max available space in \"simple_write_to_buffer\". Check that the input size does not exceed the buffer size. Write a zero termination afterwards.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38050", "url": "https://ubuntu.com/security/CVE-2025-38050", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38029", "url": "https://ubuntu.com/security/CVE-2025-38029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38076", "url": "https://ubuntu.com/security/CVE-2025-38076", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: alloc_tag: allocate percpu counters for module tags dynamically When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by free_module(). This will lead to UAF if the memory allocated by a module is accessed after module was unloaded. To fix this we allocate percpu counters for module allocation tags dynamically and we keep it alive for tags which are still in use after module unloading. This also removes the requirement of a larger PERCPU_MODULE_RESERVE when memory allocation profiling is enabled because percpu memory for counters does not need to be reserved anymore.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38051", "url": "https://ubuntu.com/security/CVE-2025-38051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38077", "url": "https://ubuntu.com/security/CVE-2025-38077", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38078", "url": "https://ubuntu.com/security/CVE-2025-38078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38003", "url": "https://ubuntu.com/security/CVE-2025-38003", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection.", "cve_priority": "medium", "cve_public_date": "2025-06-08 11:15:00 UTC" }, { "cve": "CVE-2025-38004", "url": "https://ubuntu.com/security/CVE-2025-38004", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too.", "cve_priority": "medium", "cve_public_date": "2025-06-08 11:15:00 UTC" }, { "cve": "CVE-2025-38031", "url": "https://ubuntu.com/security/CVE-2025-38031", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm \"cryptomgr_probe\", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38079", "url": "https://ubuntu.com/security/CVE-2025-38079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38052", "url": "https://ubuntu.com/security/CVE-2025-38052", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 Call Trace: kasan_report+0xd9/0x110 mm/kasan/report.c:601 tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 crypto_request_complete include/crypto/algapi.h:266 aead_request_complete include/crypto/internal/aead.h:85 cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772 crypto_request_complete include/crypto/algapi.h:266 cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 Allocated by task 8355: kzalloc_noprof include/linux/slab.h:778 tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466 tipc_init_net+0x2dd/0x430 net/tipc/core.c:72 ops_init+0xb9/0x650 net/core/net_namespace.c:139 setup_net+0x435/0xb40 net/core/net_namespace.c:343 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x419/0x970 kernel/fork.c:3323 __do_sys_unshare kernel/fork.c:3394 Freed by task 63: kfree+0x12a/0x3b0 mm/slub.c:4557 tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539 tipc_exit_net+0x8c/0x110 net/tipc/core.c:119 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done may still visit it in cryptd_queue_worker workqueue. I reproduce this issue by: ip netns add ns1 ip link add veth1 type veth peer name veth2 ip link set veth1 netns ns1 ip netns exec ns1 tipc bearer enable media eth dev veth1 ip netns exec ns1 tipc node set key this_is_a_master_key master ip netns exec ns1 tipc bearer disable media eth dev veth1 ip netns del ns1 The key of reproduction is that, simd_aead_encrypt is interrupted, leading to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is triggered, and the tipc_crypto tx will be visited. tipc_disc_timeout tipc_bearer_xmit_skb tipc_crypto_xmit tipc_aead_encrypt crypto_aead_encrypt // encrypt() simd_aead_encrypt // crypto_simd_usable() is false child = &ctx->cryptd_tfm->base; simd_aead_encrypt crypto_aead_encrypt // encrypt() cryptd_aead_encrypt_enqueue cryptd_aead_enqueue cryptd_enqueue_request // trigger cryptd_queue_worker queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work) Fix this by holding net reference count before encrypt.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38053", "url": "https://ubuntu.com/security/CVE-2025-38053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ...", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38032", "url": "https://ubuntu.com/security/CVE-2025-38032", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mr: consolidate the ipmr_can_free_table() checks. Guoyu Yin reported a splat in the ipmr netns cleanup path: WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_free_table net/ipv4/ipmr.c:440 [inline] WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Modules linked in: CPU: 2 UID: 0 PID: 14564 Comm: syz.4.838 Not tainted 6.14.0 #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ipmr_free_table net/ipv4/ipmr.c:440 [inline] RIP: 0010:ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Code: ff df 48 c1 ea 03 80 3c 02 00 75 7d 48 c7 83 60 05 00 00 00 00 00 00 5b 5d 41 5c 41 5d 41 5e e9 71 67 7f 00 e8 4c 2d 8a fd 90 <0f> 0b 90 eb 93 e8 41 2d 8a fd 0f b6 2d 80 54 ea 01 31 ff 89 ee e8 RSP: 0018:ffff888109547c58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888108c12dc0 RCX: ffffffff83e09868 RDX: ffff8881022b3300 RSI: ffffffff83e098d4 RDI: 0000000000000005 RBP: ffff888104288000 R08: 0000000000000000 R09: ffffed10211825c9 R10: 0000000000000001 R11: ffff88801816c4a0 R12: 0000000000000001 R13: ffff888108c13320 R14: ffff888108c12dc0 R15: fffffbfff0b74058 FS: 00007f84f39316c0(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f84f3930f98 CR3: 0000000113b56000 CR4: 0000000000350ef0 Call Trace: ipmr_net_exit_batch+0x50/0x90 net/ipv4/ipmr.c:3160 ops_exit_list+0x10c/0x160 net/core/net_namespace.c:177 setup_net+0x47d/0x8e0 net/core/net_namespace.c:394 copy_net_ns+0x25d/0x410 net/core/net_namespace.c:516 create_new_namespaces+0x3f6/0xaf0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc3/0x180 kernel/nsproxy.c:228 ksys_unshare+0x78d/0x9a0 kernel/fork.c:3342 __do_sys_unshare kernel/fork.c:3413 [inline] __se_sys_unshare kernel/fork.c:3411 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3411 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f84f532cc29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f84f3931038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f84f5615fa0 RCX: 00007f84f532cc29 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000400 RBP: 00007f84f53fba18 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f84f5615fa0 R15: 00007fff51c5f328 The running kernel has CONFIG_IP_MROUTE_MULTIPLE_TABLES disabled, and the sanity check for such build is still too loose. Address the issue consolidating the relevant sanity check in a single helper regardless of the kernel configuration. Also share it between the ipv4 and ipv6 code.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38054", "url": "https://ubuntu.com/security/CVE-2025-38054", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: Limit signal/freq counts in summary output functions The debugfs summary output could access uninitialized elements in the freq_in[] and signal_out[] arrays, causing NULL pointer dereferences and triggering a kernel Oops (page_fault_oops). This patch adds u8 fields (nr_freq_in, nr_signal_out) to track the number of initialized elements, with a maximum of 4 per array. The summary output functions are updated to respect these limits, preventing out-of-bounds access and ensuring safe array handling. Widen the label variables because the change confuses GCC about max length of the strings.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38055", "url": "https://ubuntu.com/security/CVE-2025-38055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes. The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway. Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38057", "url": "https://ubuntu.com/security/CVE-2025-38057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38058", "url": "https://ubuntu.com/security/CVE-2025-38058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38033", "url": "https://ubuntu.com/security/CVE-2025-38033", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Calling core::fmt::write() from rust code while FineIBT is enabled results in a kernel panic: [ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132! [ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G U O 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599 [ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE [ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0 ... [ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20 [ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 <66> 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7 [ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246 [ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 [ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88 [ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070 [ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8 [ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000 [ 4614.474473] ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10 [ 4614.484118] ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250 This happens because core::fmt::write() calls core::fmt::rt::Argument::fmt(), which currently has CFI disabled: library/core/src/fmt/rt.rs: 171 // FIXME: Transmuting formatter in new and indirectly branching to/calling 172 // it here is an explicit CFI violation. 173 #[allow(inline_no_sanitize)] 174 #[no_sanitize(cfi, kcfi)] 175 #[inline] 176 pub(super) unsafe fn fmt(&self, f: &mut Formatter<'_>) -> Result { This causes a Control Protection exception, because FineIBT has sealed off the original function's endbr64. This makes rust currently incompatible with FineIBT. Add a Kconfig dependency that prevents FineIBT from getting turned on by default if rust is enabled. [ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1], and thus we relaxed the condition with Rust >= 1.88. When `objtool` lands checking for this with e.g. [2], the plan is to ideally run that in upstream Rust's CI to prevent regressions early [3], since we do not control `core`'s source code. Alice tested the Rust PR backported to an older compiler. Peter would like that Rust provides a stable `core` which can be pulled into the kernel: \"Relying on that much out of tree code is 'unfortunate'\". - Miguel ] [ Reduced splat. - Miguel ]", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38059", "url": "https://ubuntu.com/security/CVE-2025-38059", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option \"rescue=idatacsums\" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38034", "url": "https://ubuntu.com/security/CVE-2025-38034", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable Perform some writeback operations. Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38035", "url": "https://ubuntu.com/security/CVE-2025-38035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: don't restore null sk_state_change queue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if the TCP connection isn't established when nvmet_tcp_set_queue_sock() is called then queue->state_change isn't set and sock->sk->sk_state_change isn't replaced. As such we don't need to restore sock->sk->sk_state_change if queue->state_change is NULL. This avoids NULL pointer dereferences such as this: [ 286.462026][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 286.462814][ C0] #PF: supervisor instruction fetch in kernel mode [ 286.463796][ C0] #PF: error_code(0x0010) - not-present page [ 286.464392][ C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0 [ 286.465086][ C0] Oops: Oops: 0010 [#1] SMP KASAN PTI [ 286.465559][ C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary) [ 286.466393][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 286.467147][ C0] RIP: 0010:0x0 [ 286.467420][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 286.467977][ C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246 [ 286.468425][ C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43 [ 286.469019][ C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100 [ 286.469545][ C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c [ 286.470072][ C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3 [ 286.470585][ C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268 [ 286.471070][ C0] FS: 00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000 [ 286.471644][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 286.472543][ C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0 [ 286.473500][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 286.474467][ C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 [ 286.475453][ C0] Call Trace: [ 286.476102][ C0] [ 286.476719][ C0] tcp_fin+0x2bb/0x440 [ 286.477429][ C0] tcp_data_queue+0x190f/0x4e60 [ 286.478174][ C0] ? __build_skb_around+0x234/0x330 [ 286.478940][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.479659][ C0] ? __pfx_tcp_data_queue+0x10/0x10 [ 286.480431][ C0] ? tcp_try_undo_loss+0x640/0x6c0 [ 286.481196][ C0] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 286.482046][ C0] ? kvm_clock_get_cycles+0x14/0x30 [ 286.482769][ C0] ? ktime_get+0x66/0x150 [ 286.483433][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.484146][ C0] tcp_rcv_established+0x6e4/0x2050 [ 286.484857][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.485523][ C0] ? ipv4_dst_check+0x160/0x2b0 [ 286.486203][ C0] ? __pfx_tcp_rcv_established+0x10/0x10 [ 286.486917][ C0] ? lock_release+0x217/0x2c0 [ 286.487595][ C0] tcp_v4_do_rcv+0x4d6/0x9b0 [ 286.488279][ C0] tcp_v4_rcv+0x2af8/0x3e30 [ 286.488904][ C0] ? raw_local_deliver+0x51b/0xad0 [ 286.489551][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.490198][ C0] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 286.490813][ C0] ? __pfx_raw_local_deliver+0x10/0x10 [ 286.491487][ C0] ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack] [ 286.492275][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.492900][ C0] ip_protocol_deliver_rcu+0x8f/0x370 [ 286.493579][ C0] ip_local_deliver_finish+0x297/0x420 [ 286.494268][ C0] ip_local_deliver+0x168/0x430 [ 286.494867][ C0] ? __pfx_ip_local_deliver+0x10/0x10 [ 286.495498][ C0] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 286.496204][ C0] ? ip_rcv_finish_core+0x19a/0x1f20 [ 286.496806][ C0] ? lock_release+0x217/0x2c0 [ 286.497414][ C0] ip_rcv+0x455/0x6e0 [ 286.497945][ C0] ? __pfx_ip_rcv+0x10/0x10 [ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38036", "url": "https://ubuntu.com/security/CVE-2025-38036", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/vf: Perform early GT MMIO initialization to read GMDID VFs need to communicate with the GuC to obtain the GMDID value and existing GuC functions used for that assume that the GT has it's MMIO members already setup. However, due to recent refactoring the gt->mmio is initialized later, and any attempt by the VF to use xe_mmio_read|write() from GuC functions will lead to NPD crash due to unset MMIO register address: [] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode [] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507 [] BUG: unable to handle page fault for address: 0000000000190240 Since we are already tweaking the id and type of the primary GT to mimic it's a Media GT before initializing the GuC communication, we can also call xe_gt_mmio_init() to perform early setup of the gt->mmio which will make those GuC functions work again.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38037", "url": "https://ubuntu.com/security/CVE-2025-38037", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vxlan: Annotate FDB data races The 'used' and 'updated' fields in the FDB entry structure can be accessed concurrently by multiple threads, leading to reports such as [1]. Can be reproduced using [2]. Suppress these reports by annotating these accesses using READ_ONCE() / WRITE_ONCE(). [1] BUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit write to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0: vxlan_xmit+0xb29/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff942604d263a8 of 8 bytes by task 287 on cpu 2: vxlan_xmit+0xadf/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000000fffbac6e -> 0x00000000fffbac6f Reported by Kernel Concurrency Sanitizer on: CPU: 2 UID: 0 PID: 287 Comm: mausezahn Not tainted 6.13.0-rc7-01544-gb4b270f11a02 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [2] #!/bin/bash set +H echo whitelist > /sys/kernel/debug/kcsan echo !vxlan_xmit > /sys/kernel/debug/kcsan ip link add name vx0 up type vxlan id 10010 dstport 4789 local 192.0.2.1 bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 198.51.100.1 taskset -c 0 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q & taskset -c 2 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38038", "url": "https://ubuntu.com/security/CVE-2025-38038", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost set_boost is a per-policy function call, hence a driver wide lock is unnecessary. Also this mutex_acquire can collide with the mutex_acquire from the mode-switch path in status_store(), which can lead to a deadlock. So, remove it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38039", "url": "https://ubuntu.com/security/CVE-2025-38039", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled When attempting to enable MQPRIO while HTB offload is already configured, the driver currently returns `-EINVAL` and triggers a `WARN_ON`, leading to an unnecessary call trace. Update the code to handle this case more gracefully by returning `-EOPNOTSUPP` instead, while also providing a helpful user message.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38080", "url": "https://ubuntu.com/security/CVE-2025-38080", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38060", "url": "https://ubuntu.com/security/CVE-2025-38060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->cur_state->loop_entry should always be NULL after pop_stack(). See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix. This change has some verification performance impact for selftests: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- ------------- arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%) And significant negative impact for sched_ext: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------ bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scx_qmap.bpf.o qmap_dispatch ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38040", "url": "https://ubuntu.com/security/CVE-2025-38040", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38061", "url": "https://ubuntu.com/security/CVE-2025-38061", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer).", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38062", "url": "https://ubuntu.com/security/CVE-2025-38062", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated. 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address. This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However, there is no locking at the irq layer that helps protect the lifetime. Today, this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel, as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached. Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the \"container\" after starting up. However, iommufd has improved this so that the iommu domain can be changed during VFIO operation. This potentially allows userspace to directly race VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()). This potentially causes both the cookie pointer and the unlocked call to iommu_get_domain_for_dev() on the MSI translation path to become UAFs. Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA address is already known during iommu_dma_prepare_msi() and cannot change. Thus, it can simply be stored as an integer in the MSI descriptor. The other UAF related to iommu_get_domain_for_dev() will be addressed in patch \"iommu: Make iommu_dma_prepare_msi() into a generic operation\" by using the IOMMU group mutex.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38041", "url": "https://ubuntu.com/security/CVE-2025-38041", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes The H616 manual does not state that the GPU PLL supports dynamic frequency configuration, so we must take extra care when changing the frequency. Currently any attempt to do device DVFS on the GPU lead to panfrost various ooops, and GPU hangs. The manual describes the algorithm for changing the PLL frequency, which the CPU PLL notifier code already support, so we reuse that to reparent the GPU clock to GPU1 clock during frequency changes.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38063", "url": "https://ubuntu.com/security/CVE-2025-38063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exists in upstream: crash> bt 2091206 PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: \"kworker/u260:0\" #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8 #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4 #2 [ffff800084a2f880] schedule at ffff800040bfa4b4 #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4 #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0 #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254 #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38 #8 [ffff800084a2fa60] generic_make_request at ffff800040570138 #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4 #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs] #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs] #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs] #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs] #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs] #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs] #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08 #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc #18 [ffff800084a2fe70] kthread at ffff800040118de4 After commit 2def2845cc33 (\"xfs: don't allow log IO to be throttled\"), the metadata submitted by xlog_write_iclog() should not be throttled. But due to the existence of the dm layer, throttling flush_bio indirectly causes the metadata bio to be throttled. Fix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes wbt_should_throttle() return false to avoid wbt_wait().", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38064", "url": "https://ubuntu.com/security/CVE-2025-38064", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio: break and reset virtio devices on device_shutdown() Hongyu reported a hang on kexec in a VM. QEMU reported invalid memory accesses during the hang. \tInvalid read at addr 0x102877002, size 2, region '(null)', reason: rejected \tInvalid write at addr 0x102877A44, size 2, region '(null)', reason: rejected \t... It was traced down to virtio-console. Kexec works fine if virtio-console is not in use. The issue is that virtio-console continues to write to the MMIO even after underlying virtio-pci device is reset. Additionally, Eric noticed that IOMMUs are reset before devices, if devices are not reset on shutdown they continue to poke at guest memory and get errors from the IOMMU. Some devices get wedged then. The problem can be solved by breaking all virtio devices on virtio bus shutdown, then resetting them.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38042", "url": "https://ubuntu.com/security/CVE-2025-38042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn The user of k3_udma_glue_reset_rx_chn() e.g. ti_am65_cpsw_nuss can run on multiple platforms having different DMA architectures. On some platforms there can be one FDQ for all flows in the RX channel while for others there is a separate FDQ for each flow in the RX channel. So far we have been relying on the skip_fdq argument of k3_udma_glue_reset_rx_chn(). Instead of relying on the user to provide this information, infer it based on DMA architecture during k3_udma_glue_request_rx_chn() and save it in an internal flag 'single_fdq'. Use that flag at k3_udma_glue_reset_rx_chn() to deicide if the FDQ needs to be cleared for every flow or just for flow 0. Fixes the below issue on ti_am65_cpsw_nuss driver on AM62-SK. > ip link set eth1 down > ip link set eth0 down > ethtool -L eth0 rx 8 > ip link set eth0 up > modprobe -r ti_am65_cpsw_nuss [ 103.045726] ------------[ cut here ]------------ [ 103.050505] k3_knav_desc_pool size 512000 != avail 64000 [ 103.050703] WARNING: CPU: 1 PID: 450 at drivers/net/ethernet/ti/k3-cppi-desc-pool.c:33 k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.068810] Modules linked in: ti_am65_cpsw_nuss(-) k3_cppi_desc_pool snd_soc_hdmi_codec crct10dif_ce snd_soc_simple_card snd_soc_simple_card_utils display_connector rtc_ti_k3 k3_j72xx_bandgap tidss drm_client_lib snd_soc_davinci_mcas p drm_dma_helper tps6598x phylink snd_soc_ti_udma rti_wdt drm_display_helper snd_soc_tlv320aic3x_i2c typec at24 phy_gmii_sel snd_soc_ti_edma snd_soc_tlv320aic3x sii902x snd_soc_ti_sdma sa2ul omap_mailbox drm_kms_helper authenc cfg80211 r fkill fuse drm drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [last unloaded: k3_cppi_desc_pool] [ 103.119950] CPU: 1 UID: 0 PID: 450 Comm: modprobe Not tainted 6.13.0-rc7-00001-g9c5e3435fa66 #1011 [ 103.119968] Hardware name: Texas Instruments AM625 SK (DT) [ 103.119974] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 103.119983] pc : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.148007] lr : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.154709] sp : ffff8000826ebbc0 [ 103.158015] x29: ffff8000826ebbc0 x28: ffff0000090b6300 x27: 0000000000000000 [ 103.165145] x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000019df6b0 [ 103.172271] x23: ffff0000019df6b8 x22: ffff0000019df410 x21: ffff8000826ebc88 [ 103.179397] x20: 000000000007d000 x19: ffff00000a3b3000 x18: 0000000000000000 [ 103.186522] x17: 0000000000000000 x16: 0000000000000000 x15: 000001e8c35e1cde [ 103.193647] x14: 0000000000000396 x13: 000000000000035c x12: 0000000000000000 [ 103.200772] x11: 000000000000003a x10: 00000000000009c0 x9 : ffff8000826eba20 [ 103.207897] x8 : ffff0000090b6d20 x7 : ffff00007728c180 x6 : ffff00007728c100 [ 103.215022] x5 : 0000000000000001 x4 : ffff000000508a50 x3 : ffff7ffff6146000 [ 103.222147] x2 : 0000000000000000 x1 : e300b4173ee6b200 x0 : 0000000000000000 [ 103.229274] Call trace: [ 103.231714] k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] (P) [ 103.238408] am65_cpsw_nuss_free_rx_chns+0x28/0x4c [ti_am65_cpsw_nuss] [ 103.244942] devm_action_release+0x14/0x20 [ 103.249040] release_nodes+0x3c/0x68 [ 103.252610] devres_release_all+0x8c/0xdc [ 103.256614] device_unbind_cleanup+0x18/0x60 [ 103.260876] device_release_driver_internal+0xf8/0x178 [ 103.266004] driver_detach+0x50/0x9c [ 103.269571] bus_remove_driver+0x6c/0xbc [ 103.273485] driver_unregister+0x30/0x60 [ 103.277401] platform_driver_unregister+0x14/0x20 [ 103.282096] am65_cpsw_nuss_driver_exit+0x18/0xff4 [ti_am65_cpsw_nuss] [ 103.288620] __arm64_sys_delete_module+0x17c/0x25c [ 103.293404] invoke_syscall+0x44/0x100 [ 103.297149] el0_svc_common.constprop.0+0xc0/0xe0 [ 103.301845] do_el0_svc+0x1c/0x28 [ 103.305155] el0_svc+0x28/0x98 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38043", "url": "https://ubuntu.com/security/CVE-2025-38043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38044", "url": "https://ubuntu.com/security/CVE-2025-38044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38065", "url": "https://ubuntu.com/security/CVE-2025-38065", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38066", "url": "https://ubuntu.com/security/CVE-2025-38066", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object. Reproduce steps: 1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata. cat <> cmeta.xml EOF dmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\" cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2 dmsetup remove cmeta 2. wipe the second array block of the mapping array to simulate data degradations. mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\ 2>/dev/null | hexdump -e '1/8 \"%u\\n\"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\ 2>/dev/null | hexdump -e '1/8 \"%u\\n\"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try bringing up the cache device. The resume is expected to fail due to the broken array block. dmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\" dmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\" dmsetup create corig --table \"0 524288 linear /dev/sdc 262144\" dmsetup create cache --notable dmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\" dmsetup resume cache 4. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings. dmsetup resume cache Kernel logs: (snip) ------------[ cut here ]------------ kernel BUG at drivers/md/dm-cache-policy-smq.c:752! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3 RIP: 0010:smq_load_mapping+0x3e5/0x570 Fix by disallowing resume operations for devices that failed the initial attempt.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38068", "url": "https://ubuntu.com/security/CVE-2025-38068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38069", "url": "https://ubuntu.com/security/CVE-2025-38069", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops Fix a kernel oops found while testing the stm32_pcie Endpoint driver with handling of PERST# deassertion: During EP initialization, pci_epf_test_alloc_space() allocates all BARs, which are further freed if epc_set_bar() fails (for instance, due to no free inbound window). However, when pci_epc_set_bar() fails, the error path: pci_epc_set_bar() -> pci_epf_free_space() does not clear the previous assignment to epf_test->reg[bar]. Then, if the host reboots, the PERST# deassertion restarts the BAR allocation sequence with the same allocation failure (no free inbound window), creating a double free situation since epf_test->reg[bar] was deallocated and is still non-NULL. Thus, make sure that pci_epf_alloc_space() and pci_epf_free_space() invocations are symmetric, and as such, set epf_test->reg[bar] to NULL when memory is freed. [kwilczynski: commit log]", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38045", "url": "https://ubuntu.com/security/CVE-2025-38045", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly. Now we implemented the dump split and do the FW reset only in the middle of the dump (rather than the FW killing itself on error.) As a result, some of the actions taken when applying the config will now crash the device, so we need to fix the order.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38070", "url": "https://ubuntu.com/security/CVE-2025-38070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: Add NULL check in sma1307_setting_loaded() All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added. This issue is found by our static analysis tool", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38071", "url": "https://ubuntu.com/security/CVE-2025-38071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_phys_free() to throw the first 4 MiB of physical memory to the wolves. At a minimum it should fail gracefully with a meaningful diagnostic, but in fact everything seems to work fine without the weird reserve allocation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38072", "url": "https://ubuntu.com/security/CVE-2025-38072", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38081", "url": "https://ubuntu.com/security/CVE-2025-38081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38047", "url": "https://ubuntu.com/security/CVE-2025-38047", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fred: Fix system hang during S4 resume with FRED enabled Upon a wakeup from S4, the restore kernel starts and initializes the FRED MSRs as needed from its perspective. It then loads a hibernation image, including the image kernel, and attempts to load image pages directly into their original page frames used before hibernation unless those frames are currently in use. Once all pages are moved to their original locations, it jumps to a \"trampoline\" page in the image kernel. At this point, the image kernel takes control, but the FRED MSRs still contain values set by the restore kernel, which may differ from those set by the image kernel before hibernation. Therefore, the image kernel must ensure the FRED MSRs have the same values as before hibernation. Since these values depend only on the location of the kernel text and data, they can be recomputed from scratch.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38073", "url": "https://ubuntu.com/security/CVE-2025-38073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case that set_blocksize can change i_blksize and the folio order in a manner that conflicts with a concurrent reader and causes a kernel crash. Specifically, let's say that udev-worker calls libblkid to detect the labels on a block device. The read call can create an order-0 folio to read the first 4096 bytes from the disk. But then udev is preempted. Next, someone tries to mount an 8k-sectorsize filesystem from the same block device. The filesystem calls set_blksize, which sets i_blksize to 8192 and the minimum folio order to 1. Now udev resumes, still holding the order-0 folio it allocated. It then tries to schedule a read bio and do_mpage_readahead tries to create bufferheads for the folio. Unfortunately, blocks_per_folio == 0 because the page size is 4096 but the blocksize is 8192 so no bufferheads are attached and the bh walk never sets bdev. We then submit the bio with a NULL block device and crash. Therefore, truncate the page cache after flushing but before updating i_blksize. However, that's not enough -- we also need to lock out file IO and page faults during the update. Take both the i_rwsem and the invalidate_lock in exclusive mode for invalidations, and in shared mode for read/write operations. I don't know if this is the correct fix, but xfs/259 found it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38048", "url": "https://ubuntu.com/security/CVE-2025-38048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38075", "url": "https://ubuntu.com/security/CVE-2025-38075", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod] call_timer_fn+0x58/0x1f0 run_timer_softirq+0x740/0x860 __do_softirq+0x16c/0x420 irq_exit+0x188/0x1c0 timer_interrupt+0x184/0x410 That is because nopin response timer may be re-started on nopin timer expiration. Stop nopin timer before stopping the nopin response timer to be sure that no one of them will be re-started.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-32.32 -proposed tracker (LP: #2121653)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", "", " * Pytorch reports incorrect GPU memory causing \"HIP Out of Memory\" errors", " (LP: #2120454)", " - drm/amdkfd: add a new flag to manage where VRAM allocations go", " - drm/amdkfd: use GTT for VRAM on APUs only if GTT is larger", "", " * nvme no longer detected on boot after upgrade to 6.8.0-60 (LP: #2111521)", " - SAUCE: PCI: Disable RRS polling for Intel SSDPE2KX020T8 nvme", "", " * kernel panic when reloading apparmor 5.0.0 profiles (LP: #2120233)", " - SAUCE: apparmor5.0.0 [59/53]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * [SRU] Add support for ALC1708 codec on TRBL platform (LP: #2116247)", " - ASoC: Intel: soc-acpi-intel-lnl-match: add rt1320_l12_rt714_l0 support", "", " * [SRU] Add waiting latency for USB port resume (LP: #2115478)", " - usb: hub: fix detection of high tier USB3 devices behind suspended hubs", " - usb: hub: Fix flushing and scheduling of delayed work that tunes runtime", " pm", " - usb: hub: Fix flushing of delayed work used for post resume purposes", "", " * minimal kernel lacks modules for blk disk in arm64 openstack environments", " where config_drive is required (LP: #2118499)", " - [Config] Enable SYM53C8XX_2 on arm64", "", " * Support xe2_hpg (LP: #2116175)", " - drm/xe/xe2_hpg: Add PCI IDs for xe2_hpg", " - drm/xe/xe2_hpg: Define additional Xe2_HPG GMD_ID", " - drm/xe/xe2_hpg: Add set of workarounds", " - drm/xe/xe2hpg: Add Wa_16025250150", "", " * drm/xe: Lite restore breaks fdinfo drm-cycles-rcs reporting (LP: #2119526)", " - drm/xe: Add WA BB to capture active context utilization", " - drm/xe/lrc: Use a temporary buffer for WA BB", "", " * No IP Address assigned after hot-plugging Ethernet cable on HP Platform", " (LP: #2115393)", " - Revert \"e1000e: change k1 configuration on MTP and later platforms\"", "", " * I/O performance regression on NVMes under same bridge (dual port nvme)", " (LP: #2115738)", " - iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes", " - iommu/vt-d: Split intel_iommu_domain_alloc_paging_flags()", " - iommu/vt-d: Create unique domain ops for each stage", " - iommu/vt-d: Split intel_iommu_enforce_cache_coherency()", " - iommu/vt-d: Split paging_domain_compatible()", " - iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain", "", " * BPF header file in wrong location (LP: #2118965)", " - [Packaging] Install bpf header to correct location", "", " * Internal microphone not working on ASUS VivoBook with Realtek ALC256", " (Ubuntu 24.04 + kernel 6.15) (LP: #2112330)", " - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA", "", " * Documentation update for [Ubuntu25.04] \"virsh attach-interface\" requires", " a reboot to reflect the attached interfaces on the guest (LP: #2111231)", " - powerpc/pseries/dlpar: Search DRC index from ibm, drc-indexes for IO add", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603)", " - tools/x86/kcpuid: Fix error handling", " - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in", " mwait_idle_with_hints() and prefer_mwait_c1_over_halt()", " - crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run()", " - sched: Fix trace_sched_switch(.prev_state)", " - perf/x86/amd/uncore: Remove unused 'struct amd_uncore_ctx::node' member", " - perf/x86/amd/uncore: Prevent UMC counters from saturating", " - gfs2: replace sd_aspace with sd_inode", " - gfs2: gfs2_create_inode error handling fix", " - perf/core: Fix broken throttling when max_samples_per_tick=1", " - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions", " - powerpc: do not build ppc_save_regs.o always", " - powerpc/crash: Fix non-smp kexec preparation", " - sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed", " tasks", " - x86/microcode/AMD: Do not return error when microcode update is not", " necessary", " - crypto: sun8i-ce - undo runtime PM changes during driver removal", " - x86/cpu: Sanitize CPUID(0x80000000) output", " - x86/insn: Fix opcode map (!REX2) superscript tags", " - brd: fix aligned_sector from brd_do_discard()", " - brd: fix discard end sector", " - kselftest: cpufreq: Get rid of double suspend in rtcwake case", " - crypto: marvell/cesa - Avoid empty transfer descriptor", " - erofs: fix file handle encoding for 64-bit NIDs", " - powerpc/pseries/iommu: Fix kmemleak in TCE table userspace view", " - btrfs: scrub: update device stats when an error is detected", " - btrfs: scrub: fix a wrong error type when metadata bytenr mismatches", " - btrfs: fix invalid data space release when truncating block in NOCOW", " mode", " - rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture", " - crypto: lrw - Only add ecb if it is not already there", " - crypto: xts - Only add ecb if it is not already there", " - crypto: sun8i-ce - move fallback ahash_request to the end of the struct", " - kunit: Fix wrong parameter to kunit_deactivate_static_stub()", " - crypto: api - Redo lookup on EEXIST", " - ACPICA: exserial: don't forget to handle FFixedHW opregions for reading", " - ASoC: tas2764: Enable main IRQs", " - EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo", " channel 0", " - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers", " - spi: tegra210-quad: remove redundant error handling code", " - spi: tegra210-quad: modify chip select (CS) deactivation", " - power: reset: at91-reset: Optimize at91_reset()", " - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type", " - ASoC: SOF: amd: add missing acp descriptor field", " - PM: wakeup: Delete space in the end of string shown by", " pm_show_wakelocks()", " - ACPI: resource: fix a typo for MECHREVO in", " irq1_edge_low_force_override[]", " - x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()", " - PM: sleep: Print PM debug messages during hibernation", " - thermal/drivers/mediatek/lvts: Fix debugfs unregister on failure", " - ACPI: OSI: Stop advertising support for \"3.0 _SCP Extensions\"", " - spi: sh-msiof: Fix maximum DMA transfer size", " - ASoC: apple: mca: Constrain channels according to TDM mask", " - ALSA: core: fix up bus match const issues.", " - drm/vmwgfx: Add seqno waiter for sync_files", " - drm/vmwgfx: Add error path for xa_store in vmw_bo_add_detached_resource", " - drm/vmwgfx: Fix dumb buffer leak", " - drm/xe/d3cold: Set power state to D3Cold during s2idle/s3", " - drm/vc4: tests: Use return instead of assert", " - media: rkvdec: Fix frame size enumeration", " - arm64/fpsimd: Avoid RES0 bits in the SME trap handler", " - arm64/fpsimd: Don't corrupt FPMR when streaming mode changes", " - arm64/fpsimd: Reset FPMR upon exec()", " - arm64/fpsimd: Fix merging of FPSIMD state during signal return", " - drm/panthor: Fix GPU_COHERENCY_ACE[_LITE] definitions", " - drm/panthor: Update panthor_mmu::irq::mask when needed", " - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support", " - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe()", " - fs/ntfs3: Add missing direct_IO in ntfs_aops_cmpr", " - kunit/usercopy: Disable u64 test on 32-bit SPARC", " - watchdog: exar: Shorten identity name to fit correctly", " - m68k: mac: Fix macintosh_config for Mac II", " - firmware: psci: Fix refcount leak in psci_dt_init", " - arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX", " - selftests/seccomp: fix syscall_restart test for arm compat", " - drm/msm/dpu: enable SmartDMA on SM8150", " - drm/msm/dpu: enable SmartDMA on SC8180X", " - drm: rcar-du: Fix memory leak in rcar_du_vsps_init()", " - drm/vkms: Adjust vkms_state->active_planes allocation type", " - drm/tegra: rgb: Fix the unbound reference count", " - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES", " - arm64/fpsimd: Do not discard modified SVE state", " - overflow: Fix direct struct member initialization in _DEFINE_FLEX()", " - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops", " - selftests/seccomp: fix negative_ENOSYS tracer tests on arm32", " - drm/msm/a6xx: Disable rgb565_predicator on Adreno 7c3", " - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr", " - drm/mediatek: Fix kobject put for component sub-drivers", " - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err", " - media: verisilicon: Free post processor buffers on error", " - svcrdma: Reduce the number of rdma_rw contexts per-QP", " - xen/x86: fix initial memory balloon target", " - wifi: ath12k: Fix memory leak during vdev_id mismatch", " - wifi: ath12k: Fix invalid memory access while forming 802.11 header", " - IB/cm: use rwlock for MAD agent lock", " - bpf: Check link_create.flags parameter for multi_kprobe", " - selftests/bpf: Fix bpf_nf selftest failure", " - bpf, sockmap: fix duplicated data transmission", " - wifi: ath12k: fix cleanup path after mhi init", " - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc", " - f2fs: clean up unnecessary indentation", " - f2fs: prevent the current section from being selected as a victim during", " GC", " - page_pool: Move pp_magic check into helper functions", " - page_pool: Track DMA-mapped pages and unmap them when destroying the", " pool", " - net: ncsi: Fix GCPS 64-bit member variables", " - libbpf: Fix buffer overflow in bpf_object__init_prog", " - net/mlx5: Avoid using xso.real_dev unnecessarily", " - xfrm: Use xdo.dev instead of xdo.real_dev", " - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT", " - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally", " - wifi: rtw88: do not ignore hardware read error during DPK", " - wifi: ath12k: Add MSDU length validation for TKIP MIC error", " - wifi: ath12k: Fix the QoS control field offset to build QoS header", " - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h", " - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk", " - libbpf: Fix event name too long error", " - libbpf: Remove sample_period init in perf_buffer", " - Use thread-safe function pointer in libbpf_print", " - iommu: Protect against overflow in iommu_pgsize()", " - bonding: assign random address if device address is same as bond", " - f2fs: clean up w/ fscrypt_is_bounce_page()", " - f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()", " - libbpf: Use proper errno value in linker", " - bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps", " - netfilter: bridge: Move specific fragmented packet to slow_path instead", " of dropping it", " - netfilter: nft_quota: match correctly when the quota just depleted", " - bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ", " - tracing: Move histogram trigger variables from stack to per CPU", " structure", " - clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs", " - clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs", " - clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs", " - clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs", " - bpftool: Fix regression of \"bpftool cgroup tree\" EINVAL on older kernels", " - wifi: iwlfiwi: mvm: Fix the rate reporting", " - efi/libstub: Describe missing 'out' parameter in efi_load_initrd", " - selftests/bpf: Fix caps for __xlated/jited_unpriv", " - tracing: Rename event_trigger_alloc() to trigger_data_alloc()", " - tracing: Fix error handling in event_trigger_parse()", " - of: unittest: Unlock on error in unittest_data_add()", " - ktls, sockmap: Fix missing uncharge operation", " - libbpf: Use proper errno value in nlattr", " - dt-bindings: soc: fsl,qman-fqd: Fix reserved-memory.yaml reference", " - clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz", " - s390/bpf: Store backchain even for leaf progs", " - wifi: rtw89: pci: enlarge retry times of RX tag to 1000", " - wifi: rtw89: fix firmware scan delay unit for WiFi 6 chips", " - iommu: remove duplicate selection of DMAR_TABLE", " - wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event", " - hisi_acc_vfio_pci: add eq and aeq interruption restore", " - scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort()", " - Bluetooth: ISO: Fix not using SID from adv report", " - wifi: mt76: mt7925: prevent multiple scan commands", " - wifi: mt76: mt7925: refine the sniffer commnad", " - wifi: mt76: mt7925: ensure all MCU commands wait for response", " - wifi: mt76: mt7996: set EHT max ampdu length capability", " - wifi: mt76: mt7996: fix RX buffer size of MCU event", " - bpf: Revert \"bpf: remove unnecessary rcu_read_{lock,unlock}() in multi-", " uprobe attach logic\"", " - netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft", " only builds", " - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy", " - vfio/type1: Fix error unwind in migration dirty bitmap allocation", " - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()", " - netfilter: nf_tables: nft_fib: consistent l3mdev handling", " - netfilter: nft_tunnel: fix geneve_opt dump", " - RISC-V: KVM: lock the correct mp_state during reset", " - vsock/virtio: fix `rx_bytes` accounting for stream sockets", " - net: lan966x: Fix 1-step timestamping over ipv4 or ipv6", " - net: xilinx: axienet: Fix Tx skb circular buffer occupancy check in", " dmaengine xmit", " - net: phy: fix up const issues in to_mdio_device() and to_phy_device()", " - net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy", " - net: lan743x: Fix PHY reset handling during initialization and WOL", " - octeontx2-pf: QOS: Perform cache sync on send queue teardown", " - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames", " - f2fs: use d_inode(dentry) cleanup dentry->d_inode", " - f2fs: fix to correct check conditions in f2fs_cross_rename", " - arm64: dts: qcom: sm8650: setup gpu thermal with higher temperatures", " - arm64: dts: qcom: sm8650: add missing cpu-cfg interconnect path in the", " mdss node", " - arm64: dts: qcom: x1e80100-romulus: Keep L12B and L15B always on", " - arm64: dts: qcom: sdm845-starqltechn: remove wifi", " - arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake", " - arm64: dts: qcom: sdm845-starqltechn: refactor node order", " - arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios", " - arm64: dts: qcom: sm8350: Reenable crypto & cryptobam", " - arm64: dts: qcom: sm8250: Fix CPU7 opp table", " - arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies", " - arm64: dts: qcom: ipq9574: Fix USB vdd info", " - arm64: dts: rockchip: Move SHMEM memory to reserved memory on rk3588", " - ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select", " - ARM: dts: at91: at91sam9263: fix NAND chip selects", " - arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains", " - arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect", " GPIO", " - arm64: dts: mt8183: Add port node to mt8183.dtsi", " - arm64: dts: imx8mm-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mn-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mp-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI", " audio", " - arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI", " audio", " - arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles", " - arm64: dts: mt6359: Add missing 'compatible' property to regulators node", " - arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply", " - arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning", " - arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3566-rock3c", " - arm64: dts: rockchip: Update eMMC for NanoPi R5 series", " - arm64: tegra: Drop remaining serial clock-names and reset-names", " - arm64: tegra: Add uartd serial alias for Jetson TX1 module", " - arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E", " - soc: qcom: smp2p: Fix fallback to qcom,ipc parse", " - ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery", " - nilfs2: add pointer check for nilfs_direct_propagate()", " - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()", " - dt-bindings: vendor-prefixes: Add Liontron name", " - ARM: dts: qcom: apq8064: add missing clocks to the timer node", " - ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon", " device", " - ARM: dts: qcom: apq8064: move replicator out of soc node", " - arm64: defconfig: mediatek: enable PHY drivers", " - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399", " Puma with Haikou", " - arm64: dts: qcom: qcm2290: fix (some) of QUP interconnects", " - arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups", " - arm64: dts: mt6359: Rename RTC node to match binding expectations", " - ARM: aspeed: Don't select SRAM", " - soc: aspeed: lpc: Fix impossible judgment condition", " - randstruct: gcc-plugin: Remove bogus void member", " - randstruct: gcc-plugin: Fix attribute addition", " - perf build: Warn when libdebuginfod devel files are not available", " - perf ui browser hists: Set actions->thread before calling", " do_zoom_thread()", " - dm: don't change md if dm_table_set_restrictions() fails", " - dm: free table mempools if not used in __bind", " - x86/irq: Ensure initial PIR loads are performed exactly once", " - perf symbol-minimal: Fix double free in filename__read_build_id", " - dm-flakey: error all IOs when num_features is absent", " - dm-flakey: make corrupting read bios work", " - perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids()", " - perf tests: Fix 'perf report' tests installation", " - perf intel-pt: Fix PEBS-via-PT data_src", " - perf scripts python: exported-sql-viewer.py: Fix pattern matching with", " Python 3", " - remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe", " - remoteproc: k3-r5: Drop check performed in", " k3_r5_rproc_{mbox_callback/kick}", " - remoteproc: k3-dsp: Drop check performed in", " k3_dsp_rproc_{mbox_callback/kick}", " - rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()", " - mfd: exynos-lpass: Fix an error handling path in exynos_lpass_probe()", " - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in", " exynos_lpass_remove()", " - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE", " - perf tests switch-tracking: Fix timestamp comparison", " - mailbox: imx: Fix TXDB_V2 sending", " - mailbox: mtk-cmdq: Refine GCE_GCTL_VALUE setting", " - perf symbol: Fix use-after-free in filename__read_build_id", " - perf record: Fix incorrect --user-regs comments", " - perf trace: Always print return value for syscalls returning a pid", " - nfs: clear SB_RDONLY before getting superblock", " - nfs: ignore SB_RDONLY when remounting nfs", " - perf trace: Set errpid to false for rseq and set_robust_list", " - perf callchain: Always populate the addr_location map when adding IP", " - cifs: Fix validation of SMB1 query reparse point response", " - rust: alloc: add missing invariant in Vec::set_len()", " - rtc: sh: assign correct interrupts with DT", " - phy: rockchip: samsung-hdptx: Fix clock ratio setup", " - phy: rockchip: samsung-hdptx: Do no set rk_hdptx_phy->rate in case of", " errors", " - PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus()", " - PCI: rcar-gen4: set ep BAR4 fixed size", " - PCI: cadence: Fix runtime atomic count underflow", " - PCI: apple: Use gpiod_set_value_cansleep in probe flow", " - PCI/DPC: Initialize aer_err_info before using it", " - PCI/DPC: Log Error Source ID only when valid", " - rtc: loongson: Add missing alarm notifications for ACPI RTC events", " - PCI: endpoint: Retain fixed-size BAR size as well as aligned size", " - thunderbolt: Fix a logic error in wake on connect", " - iio: filter: admv8818: fix band 4, state 15", " - iio: filter: admv8818: fix integer overflow", " - iio: filter: admv8818: fix range calculation", " - iio: filter: admv8818: Support frequencies >= 2^32", " - iio: adc: ad7124: Fix 3dB filter frequency reading", " - MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a", " - coresight: Fixes device's owner field for registered using", " coresight_init_driver()", " - coresight: catu: Introduce refcount and spinlock for enabling/disabling", " - counter: interrupt-cnt: Protect enable/disable OPs with mutex", " - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()", " - mei: vsc: Cast tx_buf to (__be32 *) when passed to cpu_to_be32_array()", " - iio: adc: PAC1934: fix typo in documentation link", " - iio: adc: mcp3911: fix device dependent mappings for conversion result", " registers", " - USB: gadget: udc: fix const issue in gadget_match_driver()", " - USB: typec: fix const issue in typec_match()", " - loop: add file_start_write() and file_end_write()", " - drm/xe: Make xe_gt_freq part of the Documentation", " - Fix sock_exceed_buf_limit not being triggered in", " __sk_mem_raise_allocated", " - net: stmmac: platform: guarantee uniqueness of bus_id", " - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt", " - net: tipc: fix refcount warning in tipc_aead_encrypt", " - driver: net: ethernet: mtk_star_emac: fix suspend/resume issue", " - net/mlx4_en: Prevent potential integer overflow calculating Hz", " - net: lan966x: Make sure to insert the vlan tags also in host mode", " - spi: bcm63xx-spi: fix shared reset", " - spi: bcm63xx-hsspi: fix shared reset", " - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION", " - ice: create new Tx scheduler nodes for new queues only", " - ice: fix rebuilding the Tx scheduler tree for large queue counts", " - idpf: fix a race in txq wakeup", " - idpf: avoid mailbox timeout delays during reset", " - net: dsa: tag_brcm: legacy: fix pskb_may_pull length", " - drm/i915/guc: Check if expecting reply before decrementing", " outstanding_submission_g2h", " - drm/i915/psr: Fix using wrong mask in REG_FIELD_PREP", " - drm/i915/guc: Handle race condition where wakeref count drops below 0", " - vmxnet3: correctly report gso type for UDP tunnels", " - selftests: net: build net/lib dependency in all target", " - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices", " - nvme: fix command limits status code", " - drm/panel-simple: fix the warnings for the Evervision VGG644804", " - netfilter: nf_nat: also check reverse tuple to obtain clashing entry", " - net: ti: icssg-prueth: Fix swapped TX stats for MII interfaces.", " - net: dsa: b53: do not enable RGMII delay on bcm63xx", " - net: dsa: b53: allow RGMII for bcm63xx RGMII ports", " - net: dsa: b53: do not touch DLL_IQQD on bcm53115", " - wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements", " - net: wwan: mhi_wwan_mbim: use correct mux_id for multiplexing", " - wireguard: device: enable threaded NAPI", " - scsi: ufs: qcom: Prevent calling phy_exit() before phy_init()", " - ASoC: codecs: hda: Fix RPM usage count underflow", " - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX", " - ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init", " - iov_iter: use iov_offset for length calculation in iov_iter_aligned_bvec", " - path_overmount(): avoid false negatives", " - fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)", " - do_change_type(): refuse to operate on unmounted/not ours mounts", " - tools/power turbostat: Fix AMD package-energy reporting", " - ALSA: hda/realtek: Add support for various HP Laptops using CS35L41 HDA", " - ALSA: hda/realtek - Support mute led function for HP platform", " - ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup", " - ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA", " - Input: synaptics-rmi - fix crash with unsupported versions of F34", " - pmdomain: core: Introduce dev_pm_genpd_rpm_always_on()", " - mmc: sdhci-of-dwcmshc: add PD workaround on RK3576", " - pinctrl: samsung: refactor drvdata suspend & resume callbacks", " - pinctrl: samsung: add dedicated SoC eint suspend/resume callbacks", " - pinctrl: samsung: add gs101 specific eint suspend/resume callbacks", " - Bluetooth: hci_core: fix list_for_each_entry_rcu usage", " - Bluetooth: btintel_pcie: Fix driver not posting maximum rx buffers", " - Bluetooth: btintel_pcie: Increase the tx and rx descriptor count", " - Bluetooth: btintel_pcie: Reduce driver buffer posting to prevent race", " condition", " - Bluetooth: MGMT: Remove unused mgmt_pending_find_data", " - net: dsa: b53: fix untagged traffic sent via cpu tagged with VID 0", " - ath10k: snoc: fix unbalanced IRQ enable in crash recovery", " - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()", " - wifi: ath11k: don't use static variables in", " ath11k_debugfs_fw_stats_process()", " - wifi: ath11k: don't wait when there is no vdev started", " - wifi: ath11k: move some firmware stats related functions outside of", " debugfs", " - wifi: ath11k: validate ath11k_crypto_mode on top of", " ath11k_core_qmi_firmware_ready", " - wifi: ath12k: refactor ath12k_hw_regs structure", " - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt()", " - spi: omap2-mcspi: Disable multi mode when CS should be kept asserted", " after message", " - spi: omap2-mcspi: Disable multi-mode when the previous message kept CS", " asserted", " - pinctrl: qcom: pinctrl-qcm2290: Add missing pins", " - scsi: iscsi: Fix incorrect error path labels for flashnode operations", " - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()", " - drm/meson: fix debug log statement when setting the HDMI clocks", " - drm/meson: use vclk_freq instead of pixel_freq in debug print", " - drm/meson: fix more rounding issues with 59.94Hz modes", " - i40e: return false from i40e_reset_vf if reset is in progress", " - i40e: retry VFLR handling if there is ongoing VF reset", " - macsec: MACsec SCI assignment for ES = 0", " - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance", " - Bluetooth: MGMT: Fix sparse errors", " - net/mlx5: Ensure fw pages are always allocated on same NUMA", " - net/mlx5: Fix return value when searching for existing flow group", " - net/mlx5: HWS, fix missing ip_version handling in definer", " - net/mlx5e: Fix leak of Geneve TLV option object", " - net_sched: tbf: fix a race in tbf_change()", " - fs/filesystems: Fix potential unsigned integer underflow in fs_name()", " - gfs2: pass through holder from the VFS for freeze/thaw", " - btrfs: exit after state split error at set_extent_bit()", " - nvmet-fcloop: access fcpreq only when holding reqlock", " - perf: Ensure bpf_perf_link path is properly serialized", " - block: use q->elevator with ->elevator_lock held in elv_iosched_show()", " - io_uring: consistently use rcu semantics with sqpoll thread", " - bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP", " - block: Fix bvec_set_folio() for very large folios", " - objtool/rust: relax slice condition to cover more `noreturn` Rust", " functions", " - tools/resolve_btfids: Fix build when cross compiling kernel with clang.", " - Revert \"wifi: mwifiex: Fix HT40 bandwidth issue.\"", " - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1", " - usb: usbtmc: Fix read_stb function and get_stb ioctl", " - tty: serial: 8250_omap: fix TX with DMA for am33xx", " - usb: misc: onboard_usb_dev: Fix usb5744 initialization sequence", " - usb: cdnsp: Fix issue with detecting command completion event", " - usb: cdnsp: Fix issue with detecting USB 3.2 speed", " - usb: Flush altsetting 0 endpoints before reinitializating them after", " reset.", " - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()", " - 9p: Add a migrate_folio method", " - ring-buffer: Move cpus_read_lock() outside of buffer->mutex", " - xfs: don't assume perags are initialised when trimming AGs", " - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall", " - x86/fred/signal: Prevent immediate repeat of single step trap on return", " from SIGTRAP handler", " - calipso: unlock rcu before returning -EAFNOSUPPORT", " - regulator: dt-bindings: mt6357: Drop fixed compatible requirement", " - usb: misc: onboard_usb_dev: fix build warning for", " CONFIG_USB_ONBOARD_DEV_USB5744=n", " - net: usb: aqc111: debug info before sanitation", " - overflow: Introduce __DEFINE_FLEX for having no initializer", " - gfs2: Don't clear sb->s_fs_info in gfs2_sys_fs_add", " - thermal/drivers/mediatek/lvts: Remove unused lvts_debugfs_exit", " - pidfs: move O_RDWR into pidfs_alloc_file()", " - ACPICA: Introduce ACPI_NONSTRING", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Apply ACPI_NONSTRING in more places", " - bcachefs: Repair code for directory i_size", " - bcachefs: delete dead code from may_delete_deleted_inode()", " - bcachefs: Run may_delete_deleted_inode() checks in bch2_inode_rm()", " - bcachefs: Fix subvol to missing root repair", " - crypto: ecdsa - Fix enc/dec size reported by KEYCTL_PKEY_QUERY", " - crypto: ecdsa - Fix NIST P521 key size reported by KEYCTL_PKEY_QUERY", " - spinlock: extend guard with spinlock_bh variants", " - crypto: zynqmp-sha - Add locking", " - gfs2: Move gfs2_dinode_dealloc", " - gfs2: Move GIF_ALLOC_FAILED check out of gfs2_ea_dealloc", " - selftests: coredump: Properly initialize pointer", " - selftests: coredump: Fix test failure for slow machines", " - selftests: coredump: Raise timeout to 2 minutes", " - sched/fair: Fixup wake_up_sync() vs DELAYED_DEQUEUE", " - gfs2: Move gfs2_trans_add_databufs", " - gfs2: Don't start unnecessary transactions during log flush", " - platform/chrome: cros_ec_typec: Set Pin Assignment E in DP PORT VDO", " - PM: runtime: Add new devm functions", " - spi: atmel-quadspi: Fix unbalanced pm_runtime by using devm_ API", " - EDAC/bluefield: Don't use bluefield_edac_readl() result on error", " - drm: xlnx: zynqmp_dpsub: fix Kconfig dependencies for ASoC", " - drm/vc4: hdmi: Call HDMI hotplug helper on disconnect", " - drm/panthor: Call panthor_gpu_coherency_init() after PM resume()", " - accel/amdxdna: Fix incorrect size of ERT_START_NPU commands", " - drm/panthor: Fix the panthor_gpu_coherency_init() error path", " - drm/amdgpu: Refine Cleaner Shader MEC firmware version for GFX10.1.x", " GPUs", " - drm/v3d: Associate a V3D tech revision to all supported devices", " - drm/v3d: fix client obtained from axi_ids on V3D 4.1", " - drm/v3d: client ranges from axi_ids are different with V3D 7.1", " - drm/msm/dpu: remove DSC feature bit for PINGPONG on MSM8937", " - drm/msm/dpu: remove DSC feature bit for PINGPONG on MSM8917", " - drm/msm/dpu: remove DSC feature bit for PINGPONG on MSM8953", " - drm/amd/display: Don't check for NULL divisor in fixpt code", " - kselftest/arm64: fp-ptrace: Fix expected FPMR value when PSTATE.SM is", " changed", " - drm/i915/dp_mst: Use the correct connector while computing the link BPP", " limit on MST", " - libbpf: Fix implicit memfd_create() for bionic", " - bpf: Check link_create.flags parameter for multi_uprobe", " - net: phy: mediatek: permit to compile test GE SOC PHY driver", " - wifi: ath12k: Resolve multicast packet drop by populating key_cipher in", " ath12k_install_key()", " - wifi: ath12k: fix SLUB BUG - Object already free in ath12k_reg_free()", " - wifi: ath12k: fix ATH12K_FLAG_REGISTERED flag handling", " - net/mlx5: HWS, Fix matcher action template attach", " - xfrm: provide common xdo_dev_offload_ok callback implementation", " - xfrm: Add explicit dev to .xdo_dev_state_{add,delete,free}", " - bonding: Mark active offloaded xfrm_states", " - bonding: Fix multiple long standing offload races", " - wifi: ath12k: Handle error cases during extended skb allocation", " - wifi: ath12k: Refactor the monitor Rx parser handler argument", " - wifi: ath12k: Add extra TLV tag parsing support in monitor Rx path", " - wifi: ath12k: Avoid fetch Error bitmap and decap format from Rx TLV", " - wifi: ath12k: Replace band define G with GHZ where appropriate", " - wifi: ath12k: change the status update in the monitor Rx", " - wifi: ath12k: add rx_info to capture required field from rx descriptor", " - wifi: ath12k: remove redundant declaration of ath12k_dp_rx_h_find_peer()", " - wifi: ath12k: replace the usage of rx desc with rx_info", " - wifi: ath12k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: iwlwifi: re-add IWL_AMSDU_8K case", " - iommu: ipmmu-vmsa: avoid Wformat-security warning", " - iommu/io-pgtable-arm: dynamically allocate selftest device struct", " - f2fs: zone: fix to calculate first_zoned_segno correctly", " - selftests/bpf: Fix kmem_cache iterator draining", " - iommu/arm-smmu-v3: Fix incorrect return in arm_smmu_attach_dev", " - clk: test: Forward-declare struct of_phandle_args in kunit/clk.h", " - pinctrl: qcom: correct the ngpios entry for QCS615", " - pinctrl: qcom: correct the ngpios entry for QCS8300", " - wifi: ath12k: Reorder and relocate the release of resources in", " ath12k_core_deinit()", " - hisi_acc_vfio_pci: bugfix cache write-back issue", " - hisi_acc_vfio_pci: bugfix the problem of uninstalling driver", " - wifi: mt76: mt7996: avoid null deref in mt7996_stop_phy()", " - Bluetooth: separate CIS_LINK and BIS_LINK link types", " - wifi: mt76: scan: Fix 'mlink' dereferenced before IS_ERR_OR_NULL check", " - wifi: mt76: mt7996: fix beamformee SS field", " - wifi: mt76: mt7996: fix invalid NSS setting when TX path differs from", " NSS", " - wifi: mt76: fix available_antennas setting", " - octeontx2-af: Send Link events one by one", " - f2fs: fix to skip f2fs_balance_fs() if checkpoint is disabled", " - arm64: dts: qcom: sa8775p: Partially revert \"arm64: dts: qcom: sa8775p:", " add QCrypto nodes\"", " - arm64: dts: qcom: qcs8300: Partially revert \"arm64: dts: qcom: qcs8300:", " add QCrypto nodes\"", " - arm64: dts: qcom: sm8550: use ICC tag for all interconnect phandles", " - arm64: dts: qcom: sm8550: add missing cpu-cfg interconnect path in the", " mdss node", " - arm64: dts: qcom: ipq9574: fix the msi interrupt numbers of pcie3", " - arm64: dts: qcom: sm8750: Fix cluster hierarchy for idle states", " - arm64: dts: qcom: sm8750: Correct clocks property for uart14 node", " - arm64: dts: qcom: qcs615: remove disallowed property in spmi bus node", " - arm64: dts: qcom: sm8650: Fix domain-idle-state for CPU2", " - arm64: dts: rockchip: Add missing uart3 interrupt for RK3528", " - arm64: dts: mediatek: mt8188: Fix IOMMU device for rdma0", " - arm64: dts: qcom: x1e001de-devkit: Describe USB retimers resets pin", " configs", " - arm64: dts: qcom: x1e001de-devkit: Fix pin config for USB0 retimer vregs", " - arm64: dts: allwinner: a100: set maximum MMC frequency", " - arm64: dts: renesas: white-hawk-single: Improve Ethernet TSN description", " - arm64: dts: qcom: sm8650: add the missing l2 cache node", " - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399", " Puma", " - dt-bindings: display/msm/dsi-phy: Add header with exposed clock IDs", " - arm64: dts: qcom: msm8998: Use the header with DSI phy clock IDs", " - arm64: dts: qcom: msm8998: Remove mdss_hdmi_phy phandle argument", " - arm64: dts: qcom: qcs615: Fix up UFS clocks", " - ubsan: integer-overflow: depend on BROKEN to keep this out of CI", " - [Config] disable UBSAN_SIGNED_WRAP", " - tools build: Don't set libunwind as available if test-all.c build", " succeeds", " - tools build: Don't show libunwind build status as it is opt-in", " - tools build: Don't show libbfd build status as it is opt-in", " - dm: handle failures in dm_table_set_restrictions", " - HID: intel-thc-hid: intel-quicki2c: pass correct arguments to", " acpi_evaluate_object", " - perf tool_pmu: Fix aggregation on duration_time", " - remoteproc: k3-r5: Refactor sequential core power up/down operations", " - netfs: Fix setting of transferred bytes with short DIO reads", " - netfs: Fix the request's work item to not require a ref", " - netfs: Fix wait/wake to be consistent about the waitqueue used", " - mfd: exynos-lpass: Fix another error handling path in", " exynos_lpass_probe()", " - netfs: Fix undifferentiation of DIO reads from unbuffered reads", " - mailbox: mchp-ipc-sbi: Fix COMPILE_TEST build error", " - perf pmu: Avoid segv for missing name/alias_name in wildcarding", " - s390/uv: Don't return 0 from make_hva_secure() if the operation was not", " successful", " - s390/uv: Always return 0 from s390_wiggle_split_folio() if successful", " - s390/uv: Improve splitting of large folios that cannot be split while", " dirty", " - nfs_localio: use cmpxchg() to install new nfs_file_localio", " - nfs_localio: always hold nfsd net ref with nfsd_file ref", " - nfs_localio: simplify interface to nfsd for getting nfsd_file", " - nfs_localio: duplicate nfs_close_local_fh()", " - nfs_localio: protect race between nfs_uuid_put() and", " nfs_close_local_fh()", " - nfs_localio: change nfsd_file_put_local() to take a pointer to __rcu", " pointer", " - rust: file: mark `LocalFile` as `repr(transparent)`", " - exportfs: require ->fh_to_parent() to encode connectable file handles", " - PCI: pciehp: Ignore Presence Detect Changed caused by DPC", " - PCI: pciehp: Ignore Link Down/Up caused by Secondary Bus Reset", " - PCI: rockchip: Fix order of rockchip_pci_core_rsts", " - PCI: imx6: Save and restore the LUT setting during suspend/resume for", " i.MX95 SoC", " - Revert \"phy: qcom-qusb2: add QUSB2 support for IPQ5424\"", " - phy: qcom-qusb2: reuse the IPQ6018 settings for IPQ5424", " - soundwire: only compute port params in specific stream states", " - rust: pci: fix docs related to missing Markdown code spans", " - coresight: core: Disable helpers for devices that fail to enable", " - iio: dac: adi-axi-dac: fix bus read", " - coresight: tmc: fix failure to disable/enable ETF after reading", " - coresight: etm4x: Fix timestamp bit field handling", " - coresight/etm4: fix missing disable active config", " - staging: gpib: Fix PCMCIA config identifier", " - staging: gpib: Fix secondary address restriction", " - rust: miscdevice: fix typo in MiscDevice::ioctl documentation", " - drm/bridge: analogix_dp: Remove the unnecessary calls to", " clk_disable_unprepare() during probing", " - drm/bridge: analogix_dp: Remove CONFIG_PM related check in", " analogix_dp_bind()/analogix_dp_unbind()", " - drm/bridge: analogix_dp: Add support to get panel from the DP AUX bus", " - drm/bridge: analogix_dp: Fix clk-disable removal", " - drm/xe: Add missing documentation of rpa_freq", " - md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT", " - net: Fix checksum update for ILA adj-transport", " - bpf: Clarify the meaning of BPF_F_PSEUDO_HDR", " - bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE", " - iavf: iavf_suspend(): take RTNL before netdev_lock()", " - iavf: centralize watchdog requeueing itself", " - iavf: simplify watchdog_task in terms of adminq task scheduling", " - iavf: extract iavf_watchdog_step() out of iavf_watchdog_task()", " - iavf: sprinkle netdev_assert_locked() annotations", " - drm/amdgpu/gfx10: Refine Cleaner Shader for GFX10.1.10", " - block: flip iter directions in blk_rq_integrity_map_user()", " - nvme: fix implicit bool to flags conversion", " - net: dsa: b53: implement setting ageing time", " - net: dsa: b53: do not configure bcm63xx's IMP port interface", " - netlink: specs: rt-link: add missing byte-order properties", " - net: annotate data-races around cleanup_net_task", " - drm/xe/vsec: fix CONFIG_INTEL_VSEC dependency", " - drm/xe: Rework eviction rejection of bound external bos", " - ALSA: hda: Allow to fetch hlink by ID", " - ASoC: Intel: avs: PCM operations for LNL-based platforms", " - ASoC: Intel: avs: Fix PPLCxFMT calculation", " - ASoC: Intel: avs: Ignore Vendor-space manipulation for ACE", " - ASoC: Intel: avs: Read HW capabilities when possible", " - ASoC: Intel: avs: Relocate DSP status registers", " - ASoC: Intel: avs: Fix paths in MODULE_FIRMWARE hints", " - fs: convert mount flags to enum", " - finish_automount(): don't leak MNT_LOCKED from parent to child", " - clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the", " right userns", " - genksyms: Fix enum consts from a reference affecting new values", " - accel/amdxdna: Fix incorrect PSP firmware size", " - drm/vc4: fix infinite EPROBE_DEFER loop", " - iavf: fix reset_task for early reset event", " - ice/ptp: fix crosstimestamp reporting", " - net/mlx5: HWS, make sure the uplink is the last destination", " - btrfs: fix fsync of files with no hard links not persisting deletion", " - io_uring: fix spurious drain flushing", " - smb: client: fix perf regression with deferred closes", " - rust: compile libcore with edition 2024 for 1.87+", " - pidfs: never refuse ppid == 0 in PIDFD_GET_INFO", " - powerpc/kernel: Fix ppc_save_regs inclusion in build", " - mm/filemap: gate dropbehind invalidate on folio !dirty && !writeback", " - mm/filemap: use filemap_end_dropbehind() for read invalidation", " - x86/hyperv: Fix APIC ID and VP index confusion in hv_snp_boot_ap()", " - Upstream stable to v6.12.34, v6.15.1, v6.15.2, v6.15.3", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38105", " - ALSA: usb-audio: Kill timer properly at removal", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38114", " - e1000: Move cancel_work_sync to avoid deadlock", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38116", " - wifi: ath12k: fix uaf in ath12k_core_init()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38306", " - fs/fhandle.c: fix a race in call of has_locked_children()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38272", " - net: dsa: b53: do not enable EEE on bcm63xx", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38311", " - iavf: get rid of the crit lock", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38128", " - Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38130", " - drm/connector: only call HDMI audio helper plugged cb if non-null", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38132", " - coresight: holding cscfg_csdev_lock while removing cscfg from csdev", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38137", " - PCI/pwrctrl: Cancel outstanding rescan work when unregistering", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38139", " - netfs: Fix oops in write-retry from mis-resetting the subreq iterator", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38140", " - dm: limit swapping tables for devices with zone write plugs", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38279", " - bpf: Do not include stack ptr register in precision backtracking", " bookkeeping", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38314", " - virtio-pci: Fix result size returned for the admin command completion", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38316", " - wifi: mt76: mt7996: avoid NULL pointer dereference in", " mt7996_set_monitor()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38281", " - wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38284", " - wifi: rtw89: pci: configure manual DAC mode via PCI config API only", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38287", " - IB/cm: Drop lockdep assert and WARN when freeing old msg", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38289", " - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38291", " - wifi: ath12k: Prevent sending WMI commands to firmware during firmware", " crash", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38294", " - wifi: ath12k: fix NULL access in assign channel context handler", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38296", " - ACPI: platform_profile: Avoid initializing on non-ACPI platforms", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38100", " - x86/iopl: Cure TIF_IO_BITMAP inconsistencies", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38101", " - ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38267", " - ring-buffer: Do not trigger WARN_ON() due to a commit_overrun", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38268", " - usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38102", " - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38301", " - nvmem: zynqmp_nvmem: unbreak driver after cleanup", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38352", " - posix-cpu-timers: fix race between handle_posix_cpu_timers() and", " posix_cpu_timer_del()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38103", " - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38302", " - block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38106", " - io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38269", " - btrfs: exit after state insertion failure at btrfs_convert_extent_bit()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38270", " - net: drv: netdevsim: don't napi_complete() from netpoll", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38107", " - net_sched: ets: fix a race in ets_qdisc_change()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38108", " - net_sched: red: fix a race in __red_change()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38109", " - net/mlx5: Fix ECVF vports unload on shutdown flow", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38303", " - Bluetooth: eir: Fix possible crashes on eir_create_adv_data", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38304", " - Bluetooth: Fix NULL pointer deference on eir_get_service_data", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38110", " - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38111", " - net/mdiobus: Fix potential out-of-bounds read/write access", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38112", " - net: Fix TOCTOU issue in sk_is_readable()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38113", " - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38088", " - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38115", " - net_sched: sch_sfq: fix a potential crash on gso_skb handling", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38414", " - wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38305", " - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38117", " - Bluetooth: MGMT: Protect mgmt_pending list with its own lock", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38118", " - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38119", " - scsi: core: ufs: Fix a hang in the error handler", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38307", " - ASoC: Intel: avs: Verify content returned by parse_int_array()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38310", " - seg6: Fix validation of nexthop addresses", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38120", " - netfilter: nf_set_pipapo_avx2: fix initial map fill", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38122", " - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38123", " - net: wwan: t7xx: Fix napi rx poll issue", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38124", " - net: fix udp gso skb_segment after pull from frag_list", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38125", " - net: stmmac: make sure that ptp_rate is not 0 before configuring EST", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38126", " - net: stmmac: make sure that ptp_rate is not 0 before configuring", " timestamping", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38127", " - ice: fix Tx scheduler error handling in XDP callback", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38129", " - page_pool: Fix use-after-free in page_pool_recycle_in_ring", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38131", " - coresight: prevent deactivate active config while enabling the config", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38274", " - fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38134", " - usb: acpi: Prevent null pointer dereference in", " usb_acpi_add_usb4_devlink()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38135", " - serial: Fix potential null-ptr-deref in mlb_usio_probe()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38136", " - usb: renesas_usbhs: Reorder clock handling and power management in probe", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38138", " - dmaengine: ti: Add NULL check in udma_probe()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38275", " - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38141", " - dm: fix dm_blk_report_zones", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38142", " - hwmon: (asus-ec-sensors) check sensor index in read_string()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38277", " - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38143", " - backlight: pm8941: Add NULL check in wled_configure()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38312", " - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38145", " - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38313", " - bus: fsl-mc: fix double-free on mc_dev", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38415", " - Squashfs: check return result of sb_min_blocksize", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38146", " - net: openvswitch: Fix the dead loop of MPLS parse", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38147", " - calipso: Don't call calipso functions for AF_INET sk.", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38278", " - octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38148", " - net: phy: mscc: Fix memory leak when using one step timestamping", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38149", " - net: phy: clear phydev->devlink when the link is deleted", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38280", " - bpf: Avoid __bpf_prog_ret0_warn when jit fails", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38151", " - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38153", " - net: usb: aqc111: fix error handling of usbnet read calls", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38154", " - bpf, sockmap: Avoid using sk_socket after free when sending", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38315", " - Bluetooth: btintel: Check dsbr size from EFI variable", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38155", " - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38156", " - wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38282", " - kernfs: Relax constraint in draining guard", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38157", " - wifi: ath9k_htc: Abort software beacon handling if disabled", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38283", " - hisi_acc_vfio_pci: bugfix live migration function without VF device", " driver", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38158", " - hisi_acc_vfio_pci: fix XQE dma address error", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38159", " - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38285", " - bpf: Fix WARN() in get_bpf_raw_tp_regs", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38286", " - pinctrl: at91: Fix possible out-of-boundary access", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38160", " - clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38161", " - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38162", " - netfilter: nft_set_pipapo: prevent overflow in lookup table allocation", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38288", " - scsi: smartpqi: Fix smp_processor_id() call trace for preemptible", " kernels", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38290", " - wifi: ath12k: fix node corruption in ar->arvifs list", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38292", " - wifi: ath12k: fix invalid access to memory", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38163", " - f2fs: fix to do sanity check on sbi->total_valid_block_count", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38317", " - wifi: ath12k: Fix buffer overflow in debugfs", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38164", " - f2fs: zone: fix to avoid inconsistence in between SIT and SSA", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38165", " - bpf, sockmap: Fix panic when calling skb_linearize", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38166", " - bpf: fix ktls panic with sockmap", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38293", " - wifi: ath11k: fix node corruption in ar->arvifs list", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38295", " - perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in", " meson_ddr_pmu_create()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38167", " - fs/ntfs3: handle hdr_first_de() return value", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38318", " - perf: arm-ni: Fix missing platform_set_drvdata()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38168", " - perf: arm-ni: Unregister PMUs on probe failure", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38169", " - arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38170", " - arm64/fpsimd: Discard stale CPU state when handling SME traps", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38319", " - drm/amd/pp: Fix potential NULL pointer dereference in", " atomctrl_initialize_mc_reg_table", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38297", " - PM: EM: Fix potential division-by-zero error in em_compute_costs()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38298", " - EDAC/skx_common: Fix general protection fault", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38299", " - ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38172", " - erofs: avoid using multiple devices with different type", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38173", " - crypto: marvell/cesa - Handle zero-length skcipher requests", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38300", " - crypto: sun8i-ce-cipher - fix error handling in", " sun8i_ce_cipher_prepare()", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039)", " - tracing: Fix compilation warning on arm32", " - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31", " - pinctrl: armada-37xx: set GPIO output value before setting direction", " - clk: samsung: correct clock summary for hsi1 block", " - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()", " - Documentation: ACPI: Use all-string data node references", " - rtc: Make rtc_time64_to_tm() support dates before 1970", " - rtc: Fix offset calculation for .start_secs < 0", " - orangefs: adjust counting code to recover from 665575cf", " - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE", " - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device", " - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB", " - usb: typec: ucsi: fix Clang -Wsign-conversion warning", " - Bluetooth: hci_qca: move the SoC type check to the right place", " - nvmem: rmem: select CONFIG_CRC32", " - usb: usbtmc: Fix timeout value in get_stb", " - dt-bindings: pwm: adi,axi-pwmgen: Fix clocks", " - dt-bindings: usb: cypress,hx3: Add support for all variants", " - dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt", " property", " - Linux 6.14.11", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039) //", " CVE-2025-38174", " - thunderbolt: Do not double dequeue a configuration request", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039) //", " CVE-2025-38175", " - binder: fix yet another UAF in binder_devices", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039) //", " CVE-2025-38176", " - binder: fix use-after-free in binderfs_evict_inode()", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039) //", " CVE-2025-38265", " - serial: jsm: fix NPE during jsm_uart_port_init", "", " * Plucky update: v6.14.10 upstream stable release (LP: #2119010)", " - can: kvaser_pciefd: Force IRQ edge in case of nested IRQ", " - arm64: dts: socfpga: agilex5: fix gpio0 address", " - arm64: dts: rockchip: fix internal USB hub instability on RK3399 Puma", " - arm64: dts: qcom: ipq9574: Add missing properties for cryptobam", " - arm64: dts: qcom: sa8775p: Add missing properties for cryptobam", " - arm64: dts: qcom: sa8775p: Remove extra entries from the iommus property", " - arm64: dts: qcom: sa8775p: Remove cdsp compute-cb@10", " - arm64: dts: qcom: sm8350: Fix typo in pil_camera_mem node", " - arm64: dts: qcom: sm8450: Add missing properties for cryptobam", " - arm64: dts: qcom: sm8550: Add missing properties for cryptobam", " - arm64: dts: qcom: sm8650: Add missing properties for cryptobam", " - arm64: dts: qcom: x1e001de-devkit: Fix vreg_l2j_1p2 voltage", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e001de-devkit: mark l12b and", " l15b always-on\"", " - arm64: dts: qcom: x1e001de-devkit: mark l12b and l15b always-on", " - arm64: dts: qcom: x1e80100-asus-vivobook-s15: Fix vreg_l2j_1p2 voltage", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: mark", " l12b and l15b always-on\"", " - arm64: dts: qcom: x1e80100-dell-xps13-9345: mark l12b and l15b always-on", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-hp-omnibook-x14:", " Enable SMB2360 0 and 1\"", " - arm64: dts: qcom: x1e80100-hp-omnibook-x14: Enable SMB2360 0 and 1", " - arm64: dts: qcom: x1e80100-hp-omnibook-x14: Fix vreg_l2j_1p2 voltage", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-hp-x14: mark l12b and", " l15b always-on\"", " - arm64: dts: qcom: x1e80100-hp-x14: mark l12b and l15b always-on", " - arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: Fix vreg_l2j_1p2 voltage", " - arm64: dts: qcom: x1e80100-qcp: Fix vreg_l2j_1p2 voltage", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-qcp: mark l12b and", " l15b always-on\"", " - arm64: dts: qcom: x1e80100-qcp: mark l12b and l15b always-on", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-yoga-slim7x: mark l12b", " and l15b always-on\"", " - arm64: dts: qcom: x1e80100-yoga-slim7x: mark l12b and l15b always-on", " - arm64: dts: qcom: x1e80100: Fix PCIe 3rd controller DBI size", " - arm64: dts: ti: k3-am62-main: Set eMMC clock parent to default", " - arm64: dts: ti: k3-am62a-main: Set eMMC clock parent to default", " - arm64: dts: ti: k3-am62p-j722s-common-main: Set eMMC clock parent to", " default", " - arm64: dts: ti: k3-am62x: Remove clock-names property from IMX219", " overlay", " - arm64: dts: ti: k3-am62x: Rename I2C switch to I2C mux in IMX219 overlay", " - arm64: dts: ti: k3-am62x: Rename I2C switch to I2C mux in OV5640 overlay", " - arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0", " - arm64: dts: ti: k3-am68-sk: Fix regulator hierarchy", " - arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators", " - arm64: dts: ti: k3-j721e-sk: Remove clock-names property from IMX219", " overlay", " - arm64: dts: ti: k3-j721e-sk: Add requiried voltage supplies for IMX219", " - arm64: dts: ti: k3-j722s-evm: Enable \"serdes_wiz0\" and \"serdes_wiz1\"", " - arm64: dts: ti: k3-j722s-main: Disable \"serdes_wiz0\" and \"serdes_wiz1\"", " - arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix length of", " serdes_ln_ctrl", " - perf/arm-cmn: Fix REQ2/SNP2 mixup", " - perf/arm-cmn: Initialise cmn->cpu earlier", " - perf/arm-cmn: Add CMN S3 ACPI binding", " - iommu: Handle yet another race around registration", " - coredump: fix error handling for replace_fd()", " - coredump: hand a pidfd to the usermode coredump helper", " - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open", " - HID: amd_sfh: Avoid clearing reports for SRA sensor", " - HID: quirks: Add ADATA XPG alpha wireless mouse support", " - nfs: don't share pNFS DS connections between net namespaces", " - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS", " - kbuild: Require pahole v1.29 with GENDWARFKSYMS on X86", " - SAUCE: Revert \"kbuild: Require pahole v1.29 with", " GENDWARFKSYMS on X86\"", " - um: let 'make clean' properly clean underlying SUBARCH as well", " - nvmet: pci-epf: cleanup nvmet_pci_epf_raise_irq()", " - drm/amd/display: fix link_set_dpms_off multi-display MST corner case", " - nvme: multipath: enable BLK_FEAT_ATOMIC_WRITES for multipathing", " - phy: starfive: jh7110-usb: Fix USB 2.0 host occasional detection failure", " - phy: phy-rockchip-samsung-hdptx: Fix PHY PLL output 50.25MHz error", " - spi: spi-sun4i: fix early activation", " - nvme: all namespaces in a subsystem must adhere to a common atomic write", " size", " - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro", " - drm/xe/xe2hpg: Add Wa_22021007897", " - drm/xe: Save the gt pointer in lrc and drop the tile", " - char: tpm: tpm-buf: Add sanity check fallback in read helpers", " - NFS: Avoid flushing data while holding directory locks in nfs_rename()", " - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys", " - ALSA: hda/realtek - restore auto-mute mode for Dell Chrome platform", " - platform/x86: thinkpad_acpi: Ignore battery threshold change event", " notification", " - net: ethernet: ti: am65-cpsw: Lower random mac address error print to", " info", " - Linux 6.14.10", "", " * Plucky update: v6.14.10 upstream stable release (LP: #2119010) //", " CVE-2025-38092", " - ksmbd: use list_first_entry_or_null for opinfo_get_list()", "", " * Plucky update: v6.14.10 upstream stable release (LP: #2119010) //", " CVE-2025-38091", " - drm/amd/display: check stream id dml21 wrapper to get plane_id", "", " * Plucky update: v6.14.10 upstream stable release (LP: #2119010) //", " CVE-2025-38082", " - gpio: virtuser: fix potential out-of-bound write", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678)", " - drm/amd/display: Do not enable replay when vtotal update is pending.", " - drm/amd/display: Correct timing_adjust_pending flag setting.", " - drm/amd/display: Defer BW-optimization-blocked DRR adjustments", " - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe", " - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver", " data", " - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off", " - nvmet: pci-epf: Keep completion queues mapped", " - nvmet: pci-epf: clear completion queue IRQ flag on delete", " - cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist", " - nvmem: rockchip-otp: Move read-offset into variant-data", " - nvmem: rockchip-otp: add rk3576 variant data", " - nvmem: core: fix bit offsets of more than one byte", " - nvmem: core: verify cell's raw_len", " - nvmem: core: update raw_len if the bit reading is required", " - nvmem: qfprom: switch to 4-byte aligned reads", " - scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices", " - dma/mapping.c: dev_dbg support for dma_addressing_limited", " - intel_th: avoid using deprecated page->mapping, index fields", " - mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf and rx_buf type", " - dma-mapping: avoid potential unused data compilation warning", " - btrfs: tree-checker: adjust error code for header level check", " - cgroup: Fix compilation issue due to cgroup_mutex not being exported", " - vhost_task: fix vhost_task_create() documentation", " - scsi: mpi3mr: Add level check to control event logging", " - dma-mapping: Fix warning reported for missing prototype", " - ima: process_measurement() needlessly takes inode_lock() on MAY_READ", " - fs/buffer: split locking for pagecache lookups", " - fs/buffer: introduce sleeping flavors for pagecache lookups", " - fs/buffer: use sleeping version of __find_get_block()", " - fs/ocfs2: use sleeping version of __find_get_block()", " - fs/jbd2: use sleeping version of __find_get_block()", " - fs/ext4: use sleeping version of sb_find_get_block()", " - drm/amd/display: Enable urgent latency adjustment on DCN35", " - drm/amdgpu: Allow P2P access through XGMI", " - selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure", " - block: hoist block size validation code to a separate function", " - io_uring: don't duplicate flushing in io_req_post_cqe", " - bpf: fix possible endless loop in BPF map iteration", " - samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora", " - kconfig: merge_config: use an empty file as initfile", " - s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel", " log", " - cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES", " - cifs: Fix querying and creating MF symlinks over SMB1", " - cifs: Fix access_flags_to_smbopen_mode", " - cifs: Fix negotiate retry functionality", " - smb: client: Store original IO parameters and prevent zero IO sizes", " - fuse: Return EPERM rather than ENOSYS from link()", " - exfat: call bh_read in get_block only when necessary", " - io_uring/msg: initialise msg request opcode", " - NFSv4: Check for delegation validity in", " nfs_start_delegation_return_locked()", " - NFS: Don't allow waiting for exiting tasks", " - SUNRPC: Don't allow waiting for exiting tasks", " - arm64: Add support for HIP09 Spectre-BHB mitigation", " - iommufd: Extend IOMMU_GET_HW_INFO to report PASID capability", " - ring-buffer: Use kaslr address instead of text delta", " - tracing: Mark binary printing functions with __printf() attribute", " - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list", " - tpm: Convert warn to dbg in tpm2_start_auth_session()", " - mailbox: pcc: Use acpi_os_ioremap() instead of ioremap()", " - mailbox: use error ret code of of_parse_phandle_with_args()", " - riscv: Allow NOMMU kernels to access all of RAM", " - fbdev: fsl-diu-fb: add missing device_remove_file()", " - fbcon: Use correct erase colour for clearing in fbcon", " - fbdev: core: tileblit: Implement missing margin clearing for tileblit", " - cifs: Set default Netbios RFC1001 server name to hostname in UNC", " - cifs: add validation check for the fields in smb_aces", " - cifs: Fix establishing NetBIOS session for SMB2+ connection", " - cifs: Fix getting DACL-only xattr system.cifs_acl and system.smb3_acl", " - cifs: Check if server supports reparse points before using them", " - NFSv4: Treat ENETUNREACH errors as fatal for state recovery", " - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting", " - SUNRPC: rpcbind should never reset the port to the value '0'", " - ASoC: codecs: wsa884x: Correct VI sense channel mask", " - ASoC: codecs: wsa883x: Correct VI sense channel mask", " - mctp: Fix incorrect tx flow invalidation condition in mctp-i2c", " - net: tn40xx: add pci-id of the aqr105-based Tehuti TN4010 cards", " - net: tn40xx: create swnode for mdio and aqr105 phy and add to mdiobus", " - thermal/drivers/mediatek/lvts: Start sensor interrupts disabled", " - thermal/drivers/qoriq: Power down TMU on system suspend", " - Bluetooth: btmtksdio: Prevent enabling interrupts after IRQ handler", " removal", " - Bluetooth: Disable SCO support if READ_VOICE_SETTING is", " unsupported/broken", " - RISC-V: add vector extension validation checks", " - dql: Fix dql->limit value when reset.", " - lockdep: Fix wait context check on softirq for PREEMPT_RT", " - objtool: Properly disable uaccess validation", " - net/mlx5e: Use right API to free bitmap memory", " - PCI: dwc: ep: Ensure proper iteration over outbound map windows", " - r8169: disable RTL8126 ZRX-DC timeout", " - tools/build: Don't pass test log files to linker", " - PCI: xilinx-cpm: Add cpm_csr register mapping for CPM5_HOST1 variant", " - i2c: qcom-geni: Update i2c frequency table to match hardware guidance", " - pNFS/flexfiles: Report ENETDOWN as a connection error", " - drm/amdgpu/discovery: check ip_discovery fw file available", " - drm/amdgpu: rework how the cleaner shader is emitted v3", " - drm/amdgpu: rework how isolation is enforced v2", " - drm/amdgpu: use GFP_NOWAIT for memory allocations", " - drm/amdkfd: set precise mem ops caps to disabled for gfx 11 and 12", " - PCI: vmd: Disable MSI remapping bypass under Xen", " - xen/pci: Do not register devices with segments >= 0x10000", " - ext4: on a remount, only log the ro or r/w state when it has changed", " - pidfs: improve multi-threaded exec and premature thread-group leader", " exit polling", " - staging: vchiq_arm: Create keep-alive thread during probe", " - mmc: host: Wait for Vdd to settle on card power off", " - drm/amdgpu: Skip pcie_replay_count sysfs creation for VF", " - cgroup/rstat: avoid disabling irqs for O(num_cpu)", " - wifi: mt76: Check link_conf pointer in mt76_connac_mcu_sta_basic_tlv()", " - wifi: mt76: scan: fix setting tx_info fields", " - wifi: mt76: mt7996: implement driver specific get_txpower function", " - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2", " - wifi: mt76: mt7996: use the correct vif link for scanning/roc", " - wifi: mt76: scan: set vif offchannel link for scanning/roc", " - wifi: mt76: mt7996: fix SER reset trigger on WED reset", " - wifi: mt76: mt7996: revise TXS size", " - wifi: mt76: mt7925: load the appropriate CLC data based on hardware type", " - wifi: mt76: mt7925: Simplify HIF suspend handling to avoid suspend fail", " - wifi: mt76: mt7925: fix fails to enter low power mode in suspend state", " - x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in non-UAPI headers", " - x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers", " - x86/stackprotector/64: Only export __ref_stack_chk_guard on CONFIG_SMP", " - x86/smpboot: Fix INIT delay assignment for extended Intel Families", " - x86/microcode: Update the Intel processor flag scan check", " - x86/amd_node: Add SMN offsets to exclusive region access", " - i2c: qup: Vote for interconnect bandwidth to DRAM", " - i2c: amd-asf: Set cmd variable when encountering an error", " - i2c: pxa: fix call balance of i2c->clk handling routines", " - btrfs: make btrfs_discard_workfn() block_group ref explicit", " - btrfs: avoid linker error in btrfs_find_create_tree_block()", " - btrfs: run btrfs_error_commit_super() early", " - btrfs: fix non-empty delayed iputs list on unmount due to async workers", " - btrfs: get zone unusable bytes while holding lock at", " btrfs_reclaim_bgs_work()", " - btrfs: send: return -ENAMETOOLONG when attempting a path that is too", " long", " - blk-cgroup: improve policy registration error handling", " - drm/amdgpu: release xcp_mgr on exit", " - drm/amd/display: Guard against setting dispclk low for dcn31x", " - drm/amdgpu: don't free conflicting apertures for non-display devices", " - drm/amdgpu: adjust drm_firmware_drivers_only() handling", " - i3c: master: svc: Fix missing STOP for master request", " - s390/tlb: Use mm_has_pgste() instead of mm_alloc_pgste()", " - dlm: make tcp still work in multi-link env", " - loop: move vfs_fsync() out of loop_update_dio()", " - clocksource/drivers/timer-riscv: Stop stimecmp when cpu hotplug", " - um: Store full CSGSFS and SS register from mcontext", " - um: Update min_low_pfn to match changes in uml_reserved", " - net/mlx5: Preserve rate settings when creating a rate node", " - wifi: mwifiex: Fix HT40 bandwidth issue.", " - bnxt_en: Query FW parameters when the CAPS_CHANGE bit is set", " - ixgbe: add support for thermal sensor event reception", " - riscv: Call secondary mmu notifier when flushing the tlb", " - ext4: reorder capability check last", " - hypfs_create_cpu_files(): add missing check for hypfs_mkdir() failure", " - scsi: st: Tighten the page format heuristics with MODE SELECT", " - scsi: st: ERASE does not change tape location", " - vfio/pci: Handle INTx IRQ_NOTCONNECTED", " - bpftool: Using the right format specifiers", " - bpf: Return prog btf_id without capable check", " - PCI: dwc: Use resource start as ioremap() input in", " dw_pcie_pme_turn_off()", " - jbd2: do not try to recover wiped journal", " - tcp: reorganize tcp_in_ack_event() and tcp_count_delivered()", " - rtc: rv3032: fix EERD location", " - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for", " retimer", " - erofs: initialize decompression early", " - spi: spi-mux: Fix coverity issue, unchecked return value", " - ASoC: pcm6240: Drop bogus code handling IRQ as GPIO", " - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect", " - kunit: tool: Fix bug in parsing test plan", " - bpf: Allow pre-ordering for bpf cgroup progs", " - kbuild: fix argument parsing in scripts/config", " - kconfig: do not clear SYMBOL_VALID when reading include/config/auto.conf", " - crypto: octeontx2 - suppress auth failure screaming due to negative", " tests", " - dm: restrict dm device size to 2^63-512 bytes", " - net/smc: use the correct ndev to find pnetid by pnetid table", " - xen: Add support for XenServer 6.1 platform device", " - pinctrl-tegra: Restore SFSEL bit when freeing pins", " - mfd: syscon: Add check for invalid resource size", " - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check", " - drm/amdgpu/gfx12: don't read registers in mqd init", " - drm/amdgpu/gfx11: don't read registers in mqd init", " - drm/amdgpu: Update SRIOV video codec caps", " - ASoC: sun4i-codec: support hp-det-gpios property", " - ASoC: sun4i-codec: correct dapm widgets and controls for h616", " - clk: qcom: lpassaudiocc-sc7280: Add support for LPASS resets for QCM6490", " - leds: Kconfig: leds-st1202: Add select for required LEDS_TRIGGER_PATTERN", " - leds: leds-st1202: Initialize hardware before DT node child operations", " - ext4: reject the 'data_err=abort' option in nojournal mode", " - ext4: do not convert the unwritten extents if data writeback fails", " - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject()", " - posix-timers: Add cond_resched() to posix_timer_add() search loop", " - posix-timers: Ensure that timer initialization is fully visible", " - net: stmmac: dwmac-rk: Validate GRF and peripheral GRF during probe", " - net: hsr: Fix PRP duplicate detection", " - timer_list: Don't use %pK through printk()", " - wifi: rtw89: coex: Fix coexistence report not show as expected", " - wifi: rtw89: set force HE TB mode when connecting to 11ax AP", " - netfilter: conntrack: Bound nf_conntrack sysctl writes", " - PNP: Expand length of fixup id string", " - phy: rockchip: usbdp: Only verify link rates/lanes/voltage when the", " corresponding set flags are set", " - arm64/mm: Check pmd_table() in pmd_trans_huge()", " - arm64/mm: Check PUD_TYPE_TABLE in pud_bad()", " - mmc: dw_mmc: add exynos7870 DW MMC support", " - mmc: sdhci: Disable SD card clock before changing parameters", " - usb: xhci: Don't change the status of stalled TDs on failed Stop EP", " - wifi: iwlwifi: mvm: fix setting the TK when associated", " - hwmon: (dell-smm) Increment the number of fans", " - iommu: Keep dev->iommu state consistent", " - printk: Check CON_SUSPEND when unblanking a console", " - wifi: iwlwifi: don't warn when if there is a FW error", " - wifi: iwlwifi: w/a FW SMPS mode selection", " - wifi: iwlwifi: mark Br device not integrated", " - wifi: iwlwifi: fix the ECKV UEFI variable name", " - wifi: mac80211: don't include MLE in ML reconf per-STA profile", " - wifi: cfg80211: Update the link address when a link is added", " - wifi: mac80211: fix warning on disconnect during failed ML reconf", " - wifi: mac80211_hwsim: Fix MLD address translation", " - wifi: mac80211: fix U-APSD check in ML reconfiguration", " - wifi: cfg80211: allow IR in 20 MHz configurations", " - r8169: increase max jumbo packet size on RTL8125/RTL8126", " - ipv6: save dontfrag in cork", " - drm/amd/display: remove minimum Dispclk and apply oem panel timing.", " - drm/amd/display: calculate the remain segments for all pipes", " - drm/amd/display: not abort link train when bw is low", " - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch", " - gfs2: Check for empty queue in run_queue", " - auxdisplay: charlcd: Partially revert \"Move hwidth and bwidth to struct", " hd44780_common\"", " - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup()", " - badblocks: Fix a nonsense WARN_ON() which checks whether a u64 variable", " < 0", " - block: acquire q->limits_lock while reading sysfs attributes", " - coresight-etb10: change etb_drvdata spinlock's type to raw_spinlock_t", " - coresight: change coresight_trace_id_map's lock type to raw_spinlock_t", " - iommu/vt-d: Check if SVA is supported when attaching the SVA domain", " - iommu/amd/pgtbl_v2: Improve error handling", " - fs/pipe: Limit the slots in pipe_resize_ring()", " - cpufreq: tegra186: Share policy per cluster", " - watchdog: s3c2410_wdt: Fix PMU register bits for ExynosAutoV920 SoC", " - watchdog: aspeed: Update bootstatus handling", " - misc: pci_endpoint_test: Give disabled BARs a distinct error code", " - selftests: pci_endpoint: Skip disabled BARs", " - crypto: mxs-dcp - Only set OTP_KEY bit for OTP key", " - drm/amdkfd: Set per-process flags only once for gfx9/10/11/12", " - drm/amdkfd: Set per-process flags only once cik/vi", " - drm/amdkfd: clear F8_MODE for gfx950", " - drm/amdgpu: increase RAS bad page threshold", " - drm/amdgpu: Fix missing drain retry fault the last entry", " - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator", " - arm64: tegra: Resize aperture for the IGX PCIe C5 slot", " - powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7", " - ALSA: seq: Improve data consistency at polling", " - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc()", " - rtc: ds1307: stop disabling alarms on probe", " - ieee802154: ca8210: Use proper setters and getters for bitwise types", " - drm/xe: Nuke VM's mapping upon close", " - drm/xe: Retry BO allocation", " - soc: samsung: include linux/array_size.h where needed", " - ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114", " - media: c8sectpfe: Call of_node_put(i2c_bus) only once in", " c8sectpfe_probe()", " - media: cec: use us_to_ktime() where appropriate", " - usb: xhci: set page size to the xHCI-supported size", " - soc: mediatek: mtk-mutex: Add DPI1 SOF/EOF to MT8188 mutex tables", " - drm/gem: Test for imported GEM buffers with helper", " - net: phylink: use pl->link_interface in phylink_expects_phy()", " - blk-throttle: don't take carryover for prioritized processing of", " metadata", " - remoteproc: qcom_wcnss: Handle platforms with only single power domain", " - drm/xe: Disambiguate GMDID-based IP names", " - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c", " - drm/amdgpu: Reinit FW shared flags on VCN v5.0.1", " - drm/amd/display: Ensure DMCUB idle before reset on DCN31/DCN35", " - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination", " - drm/amd/display: Fix DMUB reset sequence for DCN401", " - drm/amd/display: Fix p-state type when p-state is unsupported", " - drm/amd/display: Request HW cursor on DCN3.2 with SubVP", " - drm/amdgpu: Avoid HDP flush on JPEG v5.0.1", " - drm/amdgpu: Add offset normalization in VCN v5.0.1", " - perf/core: Clean up perf_try_init_event()", " - pinctrl: bcm281xx: Use \"unsigned int\" instead of bare \"unsigned\"", " - rcu: Fix get_state_synchronize_rcu_full() GP-start detection", " - drm/msm/dpu: Set possible clones for all encoders", " - net: ethernet: ti: cpsw_new: populate netdev of_node", " - eth: fbnic: Prepend TSENE FW fields with FBNIC_FW", " - net: phy: nxp-c45-tja11xx: add match_phy_device to TJA1103/TJA1104", " - dpll: Add an assertion to check freq_supported_num", " - ublk: enforce ublks_max only for unprivileged devices", " - iommufd: Disallow allocating nested parent domain with fault ID", " - media: imx335: Set vblank immediately", " - net: pktgen: fix mpls maximum labels list parsing", " - perf/core: Fix perf_mmap() failure path", " - perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint type", " - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7", " - scsi: logging: Fix scsi_logging_level bounds", " - ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config().", " - ipv4: fib: Hold rtnl_net_lock() in ip_rt_ioctl().", " - drm/rockchip: vop2: Add uv swap for cluster window", " - block: mark bounce buffering as incompatible with integrity", " - null_blk: generate null_blk configfs features string", " - ublk: complete command synchronously on error", " - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map", " - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value", " - clk: imx8mp: inform CCF of maximum frequency of clocks", " - PM: sleep: Suppress sleeping parent warning in special case", " - x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2", " - hwmon: (acpi_power_meter) Fix the fake power alarm reporting", " - hwmon: (gpio-fan) Add missing mutex locks", " - ARM: at91: pm: fix at91_suspend_finish for ZQ calibration", " - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence", " - fpga: altera-cvp: Increase credit timeout", " - perf: arm_pmuv3: Call kvm_vcpu_pmu_resync_el0() before enabling counters", " - soc: apple: rtkit: Use high prio work queue", " - soc: apple: rtkit: Implement OSLog buffers properly", " - wifi: ath12k: Report proper tx completion status to mac80211", " - PCI: brcmstb: Expand inbound window size up to 64GB", " - PCI: brcmstb: Add a softdep to MIP MSI-X driver", " - drm/xe/vf: Retry sending MMIO request to GUC on timeout error", " - drm/xe/pf: Create a link between PF and VF devices", " - net/mlx5: Avoid report two health errors on same syndrome", " - selftests/net: have `gro.sh -t` return a correct exit code", " - driver core: faux: only create the device if probe() succeeds", " - pinctrl: sophgo: avoid to modify untouched bit when setting cv1800", " pinconf", " - drm/amdkfd: KFD release_work possible circular locking", " - drm/xe: xe_gen_wa_oob: replace program_invocation_short_name", " - leds: pwm-multicolor: Add check for fwnode_property_read_u32", " - accel/amdxdna: Check interrupt register before mailbox_rx_worker exits", " - net: ethernet: mtk_ppe_offload: Allow QinQ, double ETH_P_8021Q only", " - net: xgene-v2: remove incorrect ACPI_PTR annotation", " - wifi: rtw89: Parse channel from IE to correct invalid hardware reports", " during scanning", " - bonding: report duplicate MAC address in all situations", " - tcp: be less liberal in TSEcr received while in SYN_RECV state", " - pinctrl: qcom: msm8917: Add MSM8937 wsa_reset pin", " - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band", " - soc: ti: k3-socinfo: Do not use syscon helper to build regmap", " - bpf: Search and add kfuncs in struct_ops prologue and epilogue", " - Octeontx2-af: RPM: Register driver with PCI subsys IDs", " - x86/build: Fix broken copy command in genimage.sh when making isoimage", " - drm/amd/display: handle max_downscale_src_width fail check", " - drm/amd/display: fix dcn4x init failed", " - drm/amd/display: fix check for identity ratio", " - drm/amd/display: Fix mismatch type comparison", " - drm/amd/display: Add opp recout adjustment", " - drm/amd/display: Fix mismatch type comparison in custom_float", " - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile", " - ASoC: mediatek: mt8188: Add reference for dmic clocks", " - x86/nmi: Add an emergency handler in nmi_desc & use it in", " nmi_shootdown_cpus()", " - vhost-scsi: Return queue full for page alloc failures during copy", " - vdpa/mlx5: Fix mlx5_vdpa_get_config() endianness on big-endian machines", " - cpuidle: menu: Avoid discarding useful information", " - media: adv7180: Disable test-pattern control on adv7180", " - media: tc358746: improve calculation of the D-PHY timing registers", " - net/mlx5e: Add correct match to check IPSec syndromes for switchdev mode", " - scsi: mpi3mr: Update timestamp only for supervisor IOCs", " - loop: check in LO_FLAGS_DIRECT_IO in loop_default_blocksize", " - net: stmmac: Correct usage of maximum queue number macros", " - libbpf: Fix out-of-bound read", " - gpiolib: sanitize the return value of gpio_chip::set_config()", " - scsi: scsi_debug: First fixes for tapes", " - bpf: arm64: Silence \"UBSAN: negation-overflow\" warning", " - net/mlx5: Change POOL_NEXT_SIZE define value and make it global", " - x86/kaslr: Reduce KASLR entropy on most x86 systems", " - crypto: ahash - Set default reqsize from ahash_alg", " - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher", " - net: ipv6: Init tunnel link-netns before registering dev", " - rtnetlink: Lookup device in target netns when creating link", " - drm/xe/oa: Ensure that polled read returns latest data", " - MIPS: Use arch specific syscall name match function", " - drm/amdgpu: remove all KFD fences from the BO on release", " - x86/mm: Make MMU_GATHER_RCU_TABLE_FREE unconditional", " - x86/locking: Use ALT_OUTPUT_SP() for percpu_{,try_}cmpxchg{64,128}_op()", " - pps: generators: replace copy of pps-gen info struct with const pointer", " - MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core", " - clocksource: mips-gic-timer: Enable counter when CPUs start", " - PCI: epf-mhi: Update device ID for SA8775P", " - scsi: mpt3sas: Send a diag reset if target reset fails", " - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU", " - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU", " - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31", " - wifi: rtw88: Fix rtw_mac_power_switch() for RTL8814AU", " - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx()", " - wifi: rtw89: fw: get sb_sel_ver via get_unaligned_le32()", " - wifi: rtw89: fw: add blacklist to avoid obsolete secure firmware", " - wifi: rtw89: 8922a: fix incorrect STA-ID in EHT MU PPDU", " - power: supply: axp20x_battery: Update temp sensor for AXP717 from device", " tree", " - EDAC/ie31200: work around false positive build warning", " - i3c: master: svc: Flush FIFO before sending Dynamic Address", " Assignment(DAA)", " - netdevsim: call napi_schedule from a timer context", " - mfd: axp20x: AXP717: Add AXP717_TS_PIN_CFG to writeable regs", " - eeprom: ee1004: Check chip before probing", " - irqchip/riscv-imsic: Separate next and previous pointers in IMSIC vector", " - drm/xe/client: Skip show_run_ticks if unable to read timestamp", " - drm/amd/pm: Fetch current power limit from PMFW", " - drm/amd/display: Add support for disconnected eDP streams", " - drm/amd/display: Guard against setting dispclk low when active", " - drm/amd/display: Fix BT2020 YCbCr limited/full range input", " - drm/amd/display: Read LTTPR ALPM caps during link cap retrieval", " - Revert \"drm/amd/display: Request HW cursor on DCN3.2 with SubVP\"", " - drm/amd/display: Don't treat wb connector as physical in", " create_validate_stream_for_sink", " - RDMA/core: Fix best page size finding when it can cross SG entries", " - pmdomain: imx: gpcv2: use proper helper for property detection", " - can: c_can: Use of_property_present() to test existence of DT property", " - bpf: don't do clean_live_states when state->loop_entry->branches > 0", " - eth: mlx4: don't try to complete XDP frames in netpoll", " - PCI: Fix old_size lower bound in calculate_iosize() too", " - ACPI: HED: Always initialize before evged", " - vxlan: Join / leave MC group after remote changes", " - posix-timers: Invoke cond_resched() during exit_itimers()", " - hrtimers: Replace hrtimer_clock_to_base_table with switch-case", " - irqchip/riscv-imsic: Set irq_set_affinity() for IMSIC base", " - media: test-drivers: vivid: don't call schedule in loop", " - bpf: Make every prog keep a copy of ctx_arg_info", " - net/mlx5: Modify LSB bitmask in temperature event to include only the", " first bit", " - net/mlx5: Apply rate-limiting to high temperature warning", " - firmware: arm_ffa: Reject higher major version as incompatible", " - firmware: arm_ffa: Handle the presence of host partition in the", " partition info", " - firmware: xilinx: Dont send linux address to get fpga config get status", " - io_uring: use IO_REQ_LINK_FLAGS more", " - io_uring: sanitise ring params earlier", " - ASoC: ops: Enforce platform maximum on initial value", " - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG", " - ASoC: tas2764: Mark SW_RESET as volatile", " - ASoC: tas2764: Power up/down amp on mute ops", " - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()", " - pinctrl: devicetree: do not goto err when probing hogs in", " pinctrl_dt_to_map", " - smack: recognize ipv4 CIPSO w/o categories", " - drm/xe/pf: Release all VFs configs on device removal", " - smack: Revert \"smackfs: Added check catlen\"", " - kunit: tool: Use qboot on QEMU x86_64", " - media: i2c: imx219: Correct the minimum vblanking value", " - media: v4l: Memset argument to 0 before calling get_mbus_config pad op", " - media: stm32: csi: use ARRAY_SIZE to search D-PHY table", " - media: stm32: csi: add missing pm_runtime_put on error", " - media: i2c: ov2740: Free control handler on error path", " - bnxt_en: Set NPAR 1.2 support when registering with firmware", " - net/mlx4_core: Avoid impossible mlx4_db_alloc() order value", " - drm/xe: Stop ignoring errors from xe_ttm_stolen_mgr_init()", " - drm/xe: Fix xe_tile_init_noalloc() error propagation", " - clk: qcom: ipq5018: allow it to be bulid on arm32", " - [Config] enable IPQ_GCC_5018 on armhf", " - accel/amdxdna: Refactor hardware context destroy routine", " - clk: qcom: clk-alpha-pll: Do not use random stack value for recalc rate", " - drm/xe/debugfs: fixed the return value of wedged_mode_set", " - drm/xe/debugfs: Add missing xe_pm_runtime_put in wedge_mode_set", " - x86/ibt: Handle FineIBT in handle_cfi_failure()", " - x86/traps: Cleanup and robustify decode_bug()", " - x86/boot: Mark start_secondary() with __noendbr", " - sched: Reduce the default slice to avoid tasks getting an extra tick", " - serial: sh-sci: Update the suspend/resume support", " - pinctrl: renesas: rzg2l: Add suspend/resume support for pull up/down", " - drm/xe/display: Remove hpd cancel work sync from runtime pm path", " - phy: phy-rockchip-samsung-hdptx: Swap the definitions of LCPLL_REF and", " ROPLL_REF", " - phy: core: don't require set_mode() callback for phy_get_mode() to work", " - phy: exynos5-usbdrd: fix EDS distribution tuning (gs101)", " - soundwire: amd: change the soundwire wake enable/disable sequence", " - soundwire: cadence_master: set frame shape and divider based on actual", " clk freq", " - jbd2: Avoid long replay times due to high number or revoke blocks", " - net: stmmac: dwmac-loongson: Set correct {tx,rx}_fifo_size", " - scsi: usb: Rename the RESERVE and RELEASE constants", " - drm/amdgpu/mes11: fix set_hw_resources_1 calculation", " - drm/amdkfd: fix missing L2 cache info in topology", " - drm/amdgpu: Set snoop bit for SDMA for MI series", " - drm/amd/display: pass calculated dram_speed_mts to dml2", " - drm/amd/display: remove TF check for LLS policy", " - drm/amd/display: Don't try AUX transactions on disconnected link", " - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer", " - drm/amd/pm: Skip P2S load for SMU v13.0.12", " - drm/amd/display: Support multiple options during psr entry.", " - Revert \"drm/amd/display: Exit idle optimizations before attempt to", " access PHY\"", " - drm/amd/display: Fixes for mcache programming in DML21", " - drm/amd/display: Ammend DCPG IP control sequences to align with HW", " guidance", " - drm/amd/display: Account For OTO Prefetch Bandwidth When Calculating", " Urgent Bandwidth", " - drm/amd/display: Update CR AUX RD interval interpretation", " - drm/amd/display: Initial psr_version with correct setting", " - drm/amdgpu/gfx10: Add cleaner shader for GFX10.1.10", " - drm/amdgpu: Skip err_count sysfs creation on VF unsupported RAS blocks", " - amdgpu/soc15: enable asic reset for dGPU in case of suspend abort", " - drm/amd/display: Reverse the visual confirm recouts", " - drm/amd/display: Use Nominal vBlank If Provided Instead Of Capping It", " - drm/amd/display: Populate register address for dentist for dcn401", " - drm/amdgpu: Use active umc info from discovery", " - drm/amdgpu: enlarge the VBIOS binary size limit", " - drm/amdkfd: Have kfd driver use same PASID values from graphic driver", " - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer()", " - scsi: target: spc: Fix loop traversal in spc_rsoc_get_descr()", " - net/mlx5: XDP, Enable TX side XDP multi-buffer support", " - net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB", " - net/mlx5e: set the tx_queue_len for pfifo_fast", " - net/mlx5e: reduce rep rxq depth to 256 for ECPF", " - net/mlx5e: reduce the max log mpwrq sz for ECPF and reps", " - drm/v3d: Add clock handling", " - xfrm: prevent high SEQ input in non-ESN mode", " - iio: adc: ad7606: protect register access", " - wifi: ath12k: Enable MLO setup ready and teardown commands for single", " split-phy device", " - wifi: ath12k: use arvif instead of link_conf in ath12k_mac_set_key()", " - wifi: ath12k: fix the ampdu id fetch in the HAL_RX_MPDU_START TLV", " - wifi: ath12k: Update the peer id in PPDU end user stats TLV", " - mptcp: pm: userspace: flags: clearer msg if no remote addr", " - wifi: iwlwifi: use correct IMR dump variable", " - wifi: iwlwifi: don't warn during reprobe", " - wifi: mac80211: always send max agg subframe num in strict mode", " - wifi: mac80211: don't unconditionally call drv_mgd_complete_tx()", " - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call", " - wifi: mac80211: set ieee80211_prep_tx_info::link_id upon Auth Rx", " - wifi: mac80211: add HT and VHT basic set verification", " - wifi: mac80211: Drop cooked monitor support", " - net: fec: Refactor MAC reset to function", " - powerpc/pseries/iommu: memory notifier incorrectly adds TCEs for pmemory", " - powerpc/pseries/iommu: create DDW for devices with DMA mask less than", " 64-bits", " - arch/powerpc/perf: Check the instruction type before creating sample", " with perf_mem_data_src", " - ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure().", " - r8152: add vendor/device ID pair for Dell Alienware AW1022z", " - iio: adc: ad7944: don't use storagebits for sizing", " - igc: Avoid unnecessary link down event in XDP_SETUP_PROG process", " - pstore: Change kmsg_bytes storage size to u32", " - leds: trigger: netdev: Configure LED blink interval for HW offload", " - ext4: don't write back data before punch hole in nojournal mode", " - ext4: remove writable userspace mappings before truncating page cache", " - wifi: rtw88: Fix rtw_update_sta_info() for RTL8814AU", " - wifi: rtw88: Extend rtw_fw_send_ra_info() for RTL8814AU", " - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU", " - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU", " - wifi: rtw89: coex: Assign value over than 0 to avoid firmware timer hang", " - wifi: rtw89: fw: validate multi-firmware header before getting its size", " - wifi: rtw89: fw: validate multi-firmware header before accessing", " - wifi: rtw89: call power_on ahead before selecting firmware", " - iio: dac: ad3552r-hs: use instruction mode for configuration", " - iio: dac: adi-axi-dac: add bus mode setup", " - clk: qcom: camcc-sm8250: Use clk_rcg2_shared_ops for some RCGs", " - netdevsim: allow normal queue reset while down", " - net: page_pool: avoid false positive warning if NAPI was never added", " - tools/power turbostat: Clustered Uncore MHz counters should honor", " show/hide options", " - hwmon: (xgene-hwmon) use appropriate type for the latency value", " - drm/xe: Fix PVC RPe and RPa information", " - f2fs: introduce f2fs_base_attr for global sysfs entries", " - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is", " available", " - media: qcom: camss: Add default case in vfe_src_pad_code", " - drm/rockchip: vop2: Improve display modes handling on RK3588 HDMI0", " - eth: fbnic: set IFF_UNICAST_FLT to avoid enabling promiscuous mode when", " adding unicast addrs", " - tools: ynl-gen: don't output external constants", " - ipv4: ip_gre: Fix set but not used warning in ipgre_err() if IPv4-only", " - r8169: don't scan PHY addresses > 0", " - net: flush_backlog() small changes", " - bridge: mdb: Allow replace of a host-joined group", " - ice: init flow director before RDMA", " - ice: treat dyn_allowed only as suggestion", " - rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y", " - rcu: handle unstable rdp in rcu_read_unlock_strict()", " - rcu: fix header guard for rcu_all_qs()", " - perf: Avoid the read if the count is already updated", " - ice: count combined queues using Rx/Tx count", " - drm/xe/relay: Don't use GFP_KERNEL for new transactions", " - net/mana: fix warning in the writer of client oob", " - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine", " - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk", " - scsi: lpfc: Free phba irq in lpfc_sli4_enable_msi() when", " pci_irq_vector() fails", " - scsi: lpfc: Reduce log message generation during ELS ring clean up", " - scsi: st: Restore some drive settings after reset", " - wifi: ath12k: Avoid napi_sync() before napi_enable()", " - HID: usbkbd: Fix the bit shift number for LED_KANA", " - arm64: zynqmp: add clock-output-names property in clock nodes", " - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode", " - ASoC: rt722-sdca: Add some missing readable registers", " - irqchip/riscv-aplic: Add support for hart indexes", " - dm vdo indexer: prevent unterminated string warning", " - dm vdo: use a short static string for thread name prefix", " - drm/ast: Find VBIOS mode from regular display size", " - bpf: Use kallsyms to find the function name of a struct_ops's stub", " function", " - bpftool: Fix readlink usage in get_fd_type", " - firmware: arm_scmi: Relax duplicate name constraint across protocol ids", " - perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt", " - perf/amd/ibs: Fix ->config to sample period calculation for OP PMU", " - clk: renesas: rzg2l-cpg: Refactor Runtime PM clock validation", " - wifi: rtl8xxxu: retry firmware download on error", " - wifi: rtw88: Don't use static local variable in", " rtw8822b_set_tx_power_index_by_rate", " - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet", " - spi: zynqmp-gqspi: Always acknowledge interrupts", " - regulator: ad5398: Add device tree support", " - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override", " - accel/qaic: Mask out SR-IOV PCI resources", " - drm/xe/pf: Reset GuC VF config when unprovisioning critical resource", " - wifi: ath9k: return by of_get_mac_address", " - wifi: ath12k: Fetch regdb.bin file from board-2.bin", " - drm/xe/pf: Move VFs reprovisioning to worker", " - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor", " - wifi: ath12k: report station mode receive rate for IEEE 802.11be", " - wifi: ath12k: report station mode transmit rate", " - drm: bridge: adv7511: fill stream capabilities", " - drm/nouveau: fix the broken marco GSP_MSG_MAX_SIZE", " - wifi: ath11k: Use dma_alloc_noncoherent for rx_tid buffer allocation", " - drm/ast: Hide Gens 1 to 3 TX detection in branch", " - drm/xe: Move suballocator init to after display init", " - drm/xe: Do not attempt to bootstrap VF in execlists mode", " - wifi: rtw89: coex: Separated Wi-Fi connecting event from Wi-Fi scan", " event", " - wifi: rtw89: coex: Add protect to avoid A2DP lag while Wi-Fi connecting", " - drm/xe/sa: Always call drm_suballoc_manager_fini()", " - drm/xe: Always setup GT MMIO adjustment data", " - drm/xe/guc: Drop error messages about missing GuC logs", " - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset", " - drm/buddy: fix issue that force_merge cannot free all roots", " - drm/xe: Add locks in gtidle code", " - drm/panel-edp: Add Starry 116KHD024006", " - drm: Add valid clones check", " - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work()", " - ASoC: sma1307: Fix error handling in sma1307_setting_loaded()", " - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group()", " - watchdog: aspeed: fix 64-bit division", " - drm/amdkfd: Correct F8_MODE for gfx950", " - drm/gem: Internally test import_attach for imported objects", " - virtgpu: don't reset on shutdown", " - x86/mm/init: Handle the special case of device private pages in", " add_pages(), to not increase max_pfn and trigger", " dma_addressing_limited() bounce buffers", " - bpf: abort verification if env->cur_state->loop_entry != NULL", " - ipv6: remove leftover ip6 cookie initializer", " - serial: sh-sci: Save and restore more registers", " - drm/amd/display: Exit idle optimizations before accessing PHY", " - drm/amdkfd: Fix error handling for missing PASID in", " 'kfd_process_device_init_vm'", " - drm/amdkfd: Fix pasid value leak", " - wifi: mac80211: Add counter for all monitor interfaces", " - HID: Kconfig: Add LEDS_CLASS_MULTICOLOR dependency to HID_LOGITECH", " - net-sysfs: restore behavior for not running devices", " - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of()", " - book3s64/radix: Fix compile errors when", " CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=n", " - pinctrl: meson: define the pull up/down resistor value as 60 kOhm", " - smb: server: smb2pdu: check return value of xa_store()", " - platform/x86/intel: hid: Add Pantherlake support", " - platform/x86: asus-wmi: Disable OOBE state after resume from hibernation", " - platform/x86: ideapad-laptop: add support for some new buttons", " - ASoC: cs42l43: Disable headphone clamps during type detection", " - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013", " - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx", " - drm/ttm: fix the warning for hit_low and evict_low", " - nvme-pci: add quirks for device 126f:1001", " - nvme-pci: add quirks for WDC Blue SN550 15b7:5009", " - ALSA: usb-audio: Fix duplicated name in MIDI substream names", " - io_uring/fdinfo: annotate racy sq/cq head/tail reads", " - cifs: Fix and improve cifs_query_path_info() and cifs_query_file_info()", " - cifs: Fix changing times and read-only attr over SMB1", " smb_set_file_info() function", " - ASoC: intel/sdw_utils: Add volume limit to cs42l43 speakers", " - ASoC: intel/sdw_utils: Add volume limit to cs35l56 speakers", " - iio: accel: fxls8962af: Fix wakeup source leaks on device unbind", " - iio: adc: qcom-spmi-iadc: Fix wakeup source leaks on device unbind", " - iio: imu: st_lsm6dsx: Fix wakeup source leaks on device unbind", " - btrfs: compression: adjust cb->compressed_folios allocation type", " - btrfs: handle empty eb->folios in num_extent_folios()", " - tools: ynl-gen: validate 0 len strings from kernel", " - block: only update request sector if needed", " - wifi: iwlwifi: add support for Killer on MTL", " - xenbus: Allow PVH dom0 a non-local xenstore", " - drm/amd/display: Call FP Protect Before Mode Programming/Mode Support", " - soundwire: bus: Fix race on the creation of the IRQ domain", " - espintcp: remove encap socket caching to avoid reference leak", " - xfrm: Fix UDP GRO handling for some corner cases", " - dmaengine: idxd: Fix allowing write() from different address spaces", " - x86/sev: Fix operator precedence in GHCB_MSR_VMPL_REQ_LEVEL macro", " - kernel/fork: only call untrack_pfn_clear() on VMAs duplicated for fork()", " - remoteproc: qcom_wcnss: Fix on platforms without fallback regulators", " - clk: sunxi-ng: d1: Add missing divider for MMC mod clocks", " - xfrm: Sanitize marks before insert", " - dmaengine: idxd: Fix ->poll() return value", " - dmaengine: fsl-edma: Fix return code for unhandled interrupts", " - irqchip/riscv-imsic: Start local sync timer on correct CPU", " - Bluetooth: L2CAP: Fix not checking l2cap_chan security level", " - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump", " handling", " - bridge: netfilter: Fix forwarding of fragmented packets", " - ice: fix vf->num_mac count with port representors", " - ice: Fix LACP bonds without SRIOV environment", " - loop: don't require ->write_iter for writable files in loop_configure", " - pinctrl: qcom: switch to devm_register_sys_off_handler()", " - net: dwmac-sun8i: Use parsed internal PHY address instead of 1", " - net: lan743x: Restore SGMII CTRL register on resume", " - xsk: Bring back busy polling support in XDP_COPY", " - io_uring: fix overflow resched cqe reordering", " - idpf: fix idpf_vport_splitq_napi_poll()", " - octeontx2-pf: use xdp_return_frame() to free xdp buffers", " - octeontx2-pf: Add AF_XDP non-zero copy support", " - octeontx2-pf: AF_XDP zero copy receive support", " - octeontx2-pf: Avoid adding dcbnl_ops for LBK and SDP vf", " - octeontx2-af: Set LMT_ENA bit for APR table entries", " - octeontx2-af: Fix APR entry mapping based on APR_LMT_CFG", " - clk: s2mps11: initialise clk_hw_onecell_data::num before accessing", " ::hws[] in probe()", " - can: slcan: allow reception of short error messages", " - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext", " - ASoC: SOF: Intel: hda-bus: Use PIO mode on ACE2+ platforms", " - ASoc: SOF: topology: connect DAI to a single DAI link", " - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback", " direction", " - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10", " - llc: fix data loss when reading from a socket in llc_ui_recvmsg()", " - can: kvaser_pciefd: Continue parsing DMA buf after dropped RX", " - can: kvaser_pciefd: Fix echo_skb race", " - io_uring/net: only retry recv bundle for a full transfer", " - net: dsa: microchip: linearize skb for tail-tagging switches", " - vmxnet3: update MTU after device quiesce", " - mmc: sdhci_am654: Add SDHCI_QUIRK2_SUPPRESS_V1P8_ENA quirk to am62", " compatible", " - pmdomain: renesas: rcar: Remove obsolete nullify checks", " - pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()", " - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature", " - drm/edid: fixed the bug that hdr metadata was not reset", " - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs", " - smb: client: Reset all search buffer pointers when releasing buffer", " - Input: xpad - add more controllers", " - highmem: add folio_test_partial_kmap()", " - memcg: always call cond_resched() after fn()", " - mm/page_alloc.c: avoid infinite retries caused by cpuset race", " - module: release codetag section when module load fails", " - taskstats: fix struct taskstats breaks backward compatibility since", " version 15", " - mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled", " - mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y", " - mm: vmalloc: actually use the in-place vrealloc region", " - mm: vmalloc: only zero-init on vrealloc shrink", " - octeontx2: hide unused label", " - wifi: mac80211: restore monitor for outgoing frames", " - nilfs2: fix deadlock warnings caused by lock dependency in init_nilfs()", " - Bluetooth: btmtksdio: Check function enabled before doing close", " - Bluetooth: btmtksdio: Do close if SDIO card removed without close", " - Revert \"arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC connection\"", " - ksmbd: fix stream write failure", " - platform/x86: think-lmi: Fix attribute name usage for non-compliant", " items", " - spi: use container_of_cont() for to_spi_device()", " - spi: spi-fsl-dspi: restrict register range for regmap access", " - spi: spi-fsl-dspi: Halt the module after a new message transfer", " - spi: spi-fsl-dspi: Reset SR flags before sending a new message", " - drm/xe: Use xe_mmio_read32() to read mtcfg register", " - err.h: move IOMEM_ERR_PTR() to err.h", " - drm/i915/dp: Fix determining SST/MST mode during MTP TU state", " computation", " - drm/amdgpu/vcn4.0.5: split code along instances", " - gcc-15: make 'unterminated string initialization' just a warning", " - gcc-15: disable '-Wunterminated-string-initialization' entirely for now", " - Fix mis-uses of 'cc-option' for warning disablement", " - kbuild: Properly disable -Wunterminated-string-initialization for clang", " - Linux 6.14.9", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38050", " - mm/hugetlb: fix kernel NULL pointer dereference when replacing free", " hugetlb folios", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38029", " - kasan: avoid sleepable page allocation from atomic context", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38076", " - alloc_tag: allocate percpu counters for module tags dynamically", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) // Unable to", " put display on standby after resuming from hibernate (LP: #2121449)", " - Revert \"drm/amd: Keep display off while going into S4\"", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38051", " - smb: client: Fix use-after-free in cifs_fill_dirent", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38077", " - platform/x86: dell-wmi-sysman: Avoid buffer overflow in", " current_password_store()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38078", " - ALSA: pcm: Fix race of buffer access at PCM OSS layer", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38003", " - can: bcm: add missing rcu read protection for procfs content", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38004", " - can: bcm: add locking for bcm_op runtime updates", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38031", " - padata: do not leak refcount in reorder_work", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38079", " - crypto: algif_hash - fix double free in hash_accept", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38052", " - net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38053", " - idpf: fix null-ptr-deref in idpf_features_check", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38032", " - mr: consolidate the ipmr_can_free_table() checks.", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38054", " - ptp: ocp: Limit signal/freq counts in summary output functions", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38055", " - perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38057", " - espintcp: fix skb leaks", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38058", " - __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38033", " - x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38059", " - btrfs: avoid NULL pointer dereference if no valid csum tree", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38034", " - btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38035", " - nvmet-tcp: don't restore null sk_state_change", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38036", " - drm/xe/vf: Perform early GT MMIO initialization to read GMDID", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38037", " - vxlan: Annotate FDB data races", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38038", " - cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38039", " - net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload", " enabled", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38080", " - drm/amd/display: Increase block_sequence array size", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38060", " - bpf: copy_verifier_state() should copy 'loop_entry' field", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38040", " - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38061", " - net: pktgen: fix access outside of user given buffer in", " pktgen_thread_write()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38062", " - genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of", " iommu_cookie", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38041", " - clk: sunxi-ng: h616: Reparent GPU clock during frequency changes", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38063", " - dm: fix unconditional IO throttle caused by REQ_PREFLUSH", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38064", " - virtio: break and reset virtio devices on device_shutdown()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38042", " - dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from", " k3_udma_glue_reset_rx_chn", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38043", " - firmware: arm_ffa: Set dma_mask for ffa devices", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38044", " - media: cx231xx: set device_caps for 417", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38065", " - orangefs: Do not truncate file size", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38066", " - dm cache: prevent BUG_ON by blocking retries on failed device resumes", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38067", " - rseq: Fix segfault on registration when rseq_cs is non-zero", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38068", " - crypto: lzo - Fix compression buffer overrun", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38069", " - PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38045", " - wifi: iwlwifi: fix debug actions order", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38070", " - ASoC: sma1307: Add NULL check in sma1307_setting_loaded()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38071", " - x86/mm: Check return value from memblock_phys_alloc_range()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38072", " - libnvdimm/labels: Fix divide error in nd_label_data_init()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38081", " - spi-rockchip: Fix register out of bounds access", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38047", " - x86/fred: Fix system hang during S4 resume with FRED enabled", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38073", " - block: fix race between set_blocksize and read paths", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38074", " - vhost-scsi: protect vq->log_used with vq->mutex", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38048", " - virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38075", " - scsi: target: iscsi: Fix timeout on deleted connection", "", " * CVE-2025-38350", " - net/sched: Always pass notifications when child class becomes empty", "" ], "package": "linux", "version": "6.14.0-32.32", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2121653, 1786013, 2120454, 2111521, 2120233, 2116247, 2115478, 2118499, 2116175, 2119526, 2115393, 2115738, 2118965, 2112330, 2111231, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119039, 2119039, 2119039, 2119039, 2119039, 2119010, 2119010, 2119010, 2119010, 2115678, 2115678, 2115678, 2115678, 2115678, 2121449, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678 ], "author": "Stefan Bader ", "date": "Fri, 29 Aug 2025 10:41:07 +0200" }, { "cves": [ { "cve": "CVE-2025-38056", "url": "https://ubuntu.com/security/CVE-2025-38056", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix UAF when reloading module hda_generic_machine_select() appends -idisp to the tplg filename by allocating a new string with devm_kasprintf(), then stores the string right back into the global variable snd_soc_acpi_intel_hda_machines. When the module is unloaded, this memory is freed, resulting in a global variable pointing to freed memory. Reloading the module then triggers a use-after-free: BUG: KFENCE: use-after-free read in string+0x48/0xe0 Use-after-free read at 0x00000000967e0109 (in kfence-#99): string+0x48/0xe0 vsnprintf+0x329/0x6e0 devm_kvasprintf+0x54/0xb0 devm_kasprintf+0x58/0x80 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic] sof_probe_work+0x7f/0x600 [snd_sof] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 kfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64 allocated by task 333 on cpu 8 at 17.798069s (130.453553s ago): devm_kmalloc+0x52/0x120 devm_kvasprintf+0x66/0xb0 devm_kasprintf+0x58/0x80 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic] sof_probe_work+0x7f/0x600 [snd_sof] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 freed by task 1543 on cpu 4 at 141.586686s (6.665010s ago): release_nodes+0x43/0xb0 devres_release_all+0x90/0xf0 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1c1/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x42/0xb0 __do_sys_delete_module+0x1d1/0x310 do_syscall_64+0x82/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it by copying the match array with devm_kmemdup_array() before we modify it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38008", "url": "https://ubuntu.com/security/CVE-2025-38008", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: fix race condition in unaccepted memory handling The page allocator tracks the number of zones that have unaccepted memory using static_branch_enc/dec() and uses that static branch in hot paths to determine if it needs to deal with unaccepted memory. Borislav and Thomas pointed out that the tracking is racy: operations on static_branch are not serialized against adding/removing unaccepted pages to/from the zone. Sanity checks inside static_branch machinery detects it: WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0 The comment around the WARN() explains the problem: \t/* \t * Warn about the '-1' case though; since that means a \t * decrement is concurrent with a first (0->1) increment. IOW \t * people are trying to disable something that wasn't yet fully \t * enabled. This suggests an ordering problem on the user side. \t */ The effect of this static_branch optimization is only visible on microbenchmark. Instead of adding more complexity around it, remove it altogether.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38014", "url": "https://ubuntu.com/security/CVE-2025-38014", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38015", "url": "https://ubuntu.com/security/CVE-2025-38015", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38005", "url": "https://ubuntu.com/security/CVE-2025-38005", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38009", "url": "https://ubuntu.com/security/CVE-2025-38009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b (\"net: warn if NAPI instance wasn't shut down\"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38010", "url": "https://ubuntu.com/security/CVE-2025-38010", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 (\"xhci: tegra: USB2 pad power controls\"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38011", "url": "https://ubuntu.com/security/CVE-2025-38011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38016", "url": "https://ubuntu.com/security/CVE-2025-38016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: bpf: abort dispatch if device destroyed The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages. The bug will be triggered if the conditions below are met: A) a device under the driver has some LEDs on B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver) If condition A is met, hidinput_led_worker() is always scheduled *after* hid_bpf_destroy_device(). hid_destroy_device ` hid_bpf_destroy_device ` cleanup_srcu_struct(&hdev->bpf.srcu) ` hid_remove_device ` ... ` led_classdev_unregister ` led_trigger_set(led_cdev, NULL) ` led_set_brightness(led_cdev, LED_OFF) ` ... ` input_inject_event ` input_event_dispose ` hidinput_input_event ` schedule_work(&hid->led_work) [hidinput_led_worker] This is fine when condition B is not met, where hidinput_led_worker() calls hid_ll_driver->request(). This is the case for most HID drivers, which implement it or use the generic one from usbhid. The driver itself or an underlying driver will then abort processing the request. Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads to the bug. hidinput_led_worker ` hid_hw_output_report ` dispatch_hid_bpf_output_report ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) The bug has existed since the introduction [2] of dispatch_hid_bpf_output_report(). However, the same bug also exists in dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect because of the lack of [1], but confirmed bpf.destroyed == 1) the bug against the commit (i.e., the Fixes:) introducing the function. This is because hidinput_led_worker() falls back to hid_hw_raw_request() when hid_ll_driver->output_report() is uninplemented (e.g., logitech- djreceiver). hidinput_led_worker ` hid_hw_output_report: -ENOSYS ` hid_hw_raw_request ` dispatch_hid_bpf_raw_requests ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) Fix the issue by returning early in the two mentioned functions if hid_bpf has been marked as destroyed. Though dispatch_hid_bpf_device_event() handles input events, and there is no evidence that it may be called after the destruction, the same check, as a safety net, is also added to it to maintain the consistency among all dispatch functions. The impact of the bug on other architectures is unclear. Even if it acts as a hidden failure, this is still dangerous because it corrupts whatever is on the address calculated by SRCU. Thus, CC'ing the stable list. [1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Use relative percpu offsets\") [2]: commit 9286675a2aed (\"HID: bpf: add HID-BPF hooks for hid_hw_output_report\")", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38012", "url": "https://ubuntu.com/security/CVE-2025-38012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator BPF programs may call next() and destroy() on BPF iterators even after new() returns an error value (e.g. bpf_for_each() macro ignores error returns from new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized state after an error return causing bpf_iter_scx_dsq_next() to dereference garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that next() and destroy() become noops.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38018", "url": "https://ubuntu.com/security/CVE-2025-38018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38019", "url": "https://ubuntu.com/security/CVE-2025-38019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP (Note that the neighbor is not marked with 'offload') When the driver is reloaded and the existing configuration is replayed, the driver does not perform the same check regarding existing neighbors and offloads the previously added one: # devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP If the neighbor is later deleted, the driver will ignore the notification (given the GRE net device is not its upper) and will therefore keep referencing freed memory, resulting in a use-after-free [1] when the net device is deleted: # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1 Fix by skipping neighbor replay if the net device for which the replay is performed is not our upper. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200 Read of size 8 at addr ffff888155b0e420 by task ip/2282 [...] Call Trace: dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6f/0x350 print_report+0x108/0x205 kasan_report+0xdf/0x110 mlxsw_sp_neigh_entry_update+0x1ea/0x200 mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 mlxsw_sp_rif_destroy+0x1e9/0x750 mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 notifier_call_chain+0xca/0x150 call_netdevice_notifiers_info+0x7f/0x100 unregister_netdevice_many_notify+0xc8c/0x1d90 rtnl_dellink+0x34e/0xa50 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38013", "url": "https://ubuntu.com/security/CVE-2025-38013", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the \"sizeof(void *)\" not matching the \"channels\" array type.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38002", "url": "https://ubuntu.com/security/CVE-2025-38002", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo() Not everything requires locking in there, which is why the 'has_lock' variable exists. But enough does that it's a bit unwieldy to manage. Wrap the whole thing in a ->uring_lock trylock, and just return with no output if we fail to grab it. The existing trylock() will already have greatly diminished utility/output for the failure case. This fixes an issue with reading the SQE fields, if the ring is being actively resized at the same time.", "cve_priority": "medium", "cve_public_date": "2025-06-06 14:15:00 UTC" }, { "cve": "CVE-2025-38027", "url": "https://ubuntu.com/security/CVE-2025-38027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\\xc0$\\xa5\\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38020", "url": "https://ubuntu.com/security/CVE-2025-38020", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38021", "url": "https://ubuntu.com/security/CVE-2025-38021", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check of pipe_ctx->plane_state for update_dchubp_dpp Similar to commit 6a057072ddd1 (\"drm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe\") that addresses a null pointer dereference on dcn20_update_dchubp_dpp. This is the same function hooked for update_dchubp_dpp in dcn401, with the same issue. Fix possible null pointer deference on dcn401_program_pipe too. (cherry picked from commit d8d47f739752227957d8efc0cb894761bfe1d879)", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38006", "url": "https://ubuntu.com/security/CVE-2025-38006", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox \"ip addr show\". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-37992", "url": "https://ubuntu.com/security/CVE-2025-37992", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines.", "cve_priority": "medium", "cve_public_date": "2025-05-26 15:15:00 UTC" }, { "cve": "CVE-2025-38022", "url": "https://ubuntu.com/security/CVE-2025-38022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent().", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38028", "url": "https://ubuntu.com/security/CVE-2025-38028", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS/localio: Fix a race in nfs_local_open_fh() Once the clp->cl_uuid.lock has been dropped, another CPU could come in and free the struct nfsd_file that was just added. To prevent that from happening, take the RCU read lock before dropping the spin lock.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38023", "url": "https://ubuntu.com/security/CVE-2025-38023", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38007", "url": "https://ubuntu.com/security/CVE-2025-38007", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38024", "url": "https://ubuntu.com/security/CVE-2025-38024", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38025", "url": "https://ubuntu.com/security/CVE-2025-38025", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7606: check for NULL before calling sw_mode_config() Check that the sw_mode_config function pointer is not NULL before calling it. Not all buses define this callback, which resulted in a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-37963", "url": "https://ubuntu.com/security/CVE-2025-37963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Support for eBPF programs loaded by unprivileged users is typically disabled. This means only cBPF programs need to be mitigated for BHB. In addition, only mitigate cBPF programs that were loaded by an unprivileged user. Privileged users can also load the same program via eBPF, making the mitigation pointless.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37948", "url": "https://ubuntu.com/security/CVE-2025-37948", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs A malicious BPF program may manipulate the branch history to influence what the hardware speculates will happen next. On exit from a BPF program, emit the BHB mititgation sequence. This is only applied for 'classic' cBPF programs that are loaded by seccomp.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37994", "url": "https://ubuntu.com/security/CVE-2025-37994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37967", "url": "https://ubuntu.com/security/CVE-2025-37967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix deadlock This patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock functions to the UCSI driver. ucsi_con_mutex_lock ensures the connector mutex is only locked if a connection is established and the partner pointer is valid. This resolves a deadlock scenario where ucsi_displayport_remove_partner holds con->mutex waiting for dp_altmode_work to complete while dp_altmode_work attempts to acquire it.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37950", "url": "https://ubuntu.com/security/CVE-2025-37950", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix panic in failed foilio allocation commit 7e119cff9d0a (\"ocfs2: convert w_pages to w_folios\") and commit 9a5e08652dc4b (\"ocfs2: use an array of folios instead of an array of pages\") save -ENOMEM in the folio array upon allocation failure and call the folio array free code. The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37995", "url": "https://ubuntu.com/security/CVE-2025-37995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37960", "url": "https://ubuntu.com/security/CVE-2025-37960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: memblock: Accept allocated memory before use in memblock_double_array() When increasing the array size in memblock_double_array() and the slab is not yet available, a call to memblock_find_in_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which can result in a crash when booting an SNP guest: RIP: 0010:memcpy_orig+0x68/0x130 Code: ... RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006 RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000 RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00 RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000 R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78 R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00 memblock_double_array+0xff/0x310 memblock_add_range+0x1fb/0x2f0 memblock_reserve+0x4f/0xa0 memblock_alloc_range_nid+0xac/0x130 memblock_alloc_internal+0x53/0xc0 memblock_alloc_try_nid+0x3d/0xa0 swiotlb_init_remap+0x149/0x2f0 mem_init+0xb/0xb0 mm_core_init+0x8f/0x350 start_kernel+0x17e/0x5d0 x86_64_start_reservations+0x14/0x30 x86_64_start_kernel+0x92/0xa0 secondary_startup_64_no_verify+0x194/0x19b Mitigate this by calling accept_memory() on the memory range returned before the slab is available. Prior to v6.12, the accept_memory() interface used a 'start' and 'end' parameter instead of 'start' and 'size', therefore the accept_memory() call must be adjusted to specify 'start + size' for 'end' when applying to kernels prior to v6.12.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37996", "url": "https://ubuntu.com/security/CVE-2025-37996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Commit fce886a60207 (\"KVM: arm64: Plumb the pKVM MMU in KVM\") made the initialization of the local memcache variable in user_mem_abort() conditional, leaving a codepath where it is used uninitialized via kvm_pgtable_stage2_map(). This can fail on any path that requires a stage-2 allocation without transition via a permission fault or dirty logging. Fix this by making sure that memcache is always valid.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37949", "url": "https://ubuntu.com/security/CVE-2025-37949", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xenbus: Use kref to track req lifetime Marek reported seeing a NULL pointer fault in the xenbus_thread callstack: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: e030:__wake_up_common+0x4c/0x180 Call Trace: __wake_up_common_lock+0x82/0xd0 process_msg+0x18e/0x2f0 xenbus_thread+0x165/0x1c0 process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems like it was xs_wake_up() in this case. It seems like req may have woken up the xs_wait_for_reply(), which kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed data. Linux Device Drivers 2nd edition states: \"Normally, a wake_up call can cause an immediate reschedule to happen, meaning that other processes might run before wake_up returns.\" ... which would match the behaviour observed. Change to keeping two krefs on each request. One for the caller, and one for xenbus_thread. Each will kref_put() when finished, and the last will free it. This use of kref matches the description in Documentation/core-api/kref.rst", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37954", "url": "https://ubuntu.com/security/CVE-2025-37954", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Avoid race in open_cached_dir with lease breaks A pre-existing valid cfid returned from find_or_create_cached_dir might race with a lease break, meaning open_cached_dir doesn't consider it valid, and thinks it's newly-constructed. This leaks a dentry reference if the allocation occurs before the queued lease break work runs. Avoid the race by extending holding the cfid_list_lock across find_or_create_cached_dir and when the result is checked.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37965", "url": "https://ubuntu.com/security/CVE-2025-37965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix invalid context error in dml helper [Why] \"BUG: sleeping function called from invalid context\" error. after: \"drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()\" The populate_dml_plane_cfg_from_plane_state() uses the GFP_KERNEL flag for memory allocation, which shouldn't be used in atomic contexts. The allocation is needed only for using another helper function get_scaler_data_for_plane(). [How] Modify helpers to pass a pointer to scaler_data within existing context, eliminating the need for dynamic memory allocation/deallocation and copying. (cherry picked from commit bd3e84bc98f81b44f2c43936bdadc3241d654259)", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37951", "url": "https://ubuntu.com/security/CVE-2025-37951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Add job to pending list if the reset was skipped When a CL/CSD job times out, we check if the GPU has made any progress since the last timeout. If so, instead of resetting the hardware, we skip the reset and let the timer get rearmed. This gives long-running jobs a chance to complete. However, when `timedout_job()` is called, the job in question is removed from the pending list, which means it won't be automatically freed through `free_job()`. Consequently, when we skip the reset and keep the job running, the job won't be freed when it finally completes. This situation leads to a memory leak, as exposed in [1] and [2]. Similarly to commit 704d3d60fec4 (\"drm/etnaviv: don't block scheduler when GPU is still active\"), this patch ensures the job is put back on the pending list when extending the timeout.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37968", "url": "https://ubuntu.com/security/CVE-2025-37968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37969", "url": "https://ubuntu.com/security/CVE-2025-37969", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Prevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37970", "url": "https://ubuntu.com/security/CVE-2025-37970", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Prevent st_lsm6dsx_read_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37966", "url": "https://ubuntu.com/security/CVE-2025-37966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL When userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not available, the kernel crashes: Oops - illegal instruction [#1] [snip] epc : set_tagged_addr_ctrl+0x112/0x15a ra : set_tagged_addr_ctrl+0x74/0x15a epc : ffffffff80011ace ra : ffffffff80011a30 sp : ffffffc60039be10 [snip] status: 0000000200000120 badaddr: 0000000010a79073 cause: 0000000000000002 set_tagged_addr_ctrl+0x112/0x15a __riscv_sys_prctl+0x352/0x73c do_trap_ecall_u+0x17c/0x20c andle_exception+0x150/0x15c Fix it by checking if Supm is available.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37957", "url": "https://ubuntu.com/security/CVE-2025-37957", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Previously, commit ed129ec9057f (\"KVM: x86: forcibly leave nested mode on vCPU reset\") addressed an issue where a triple fault occurring in nested mode could lead to use-after-free scenarios. However, the commit did not handle the analogous situation for System Management Mode (SMM). This omission results in triggering a WARN when KVM forces a vCPU INIT after SHUTDOWN interception while the vCPU is in SMM. This situation was reprodused using Syzkaller by: 1) Creating a KVM VM and vCPU 2) Sending a KVM_SMI ioctl to explicitly enter SMM 3) Executing invalid instructions causing consecutive exceptions and eventually a triple fault The issue manifests as follows: WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112 kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Modules linked in: CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted 6.1.130-syzkaller-00157-g164fe5dde9b6 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Call Trace: shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136 svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395 svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457 vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline] vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062 kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283 kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Architecturally, INIT is blocked when the CPU is in SMM, hence KVM's WARN() in kvm_vcpu_reset() to guard against KVM bugs, e.g. to detect improper emulation of INIT. SHUTDOWN on SVM is a weird edge case where KVM needs to do _something_ sane with the VMCB, since it's technically undefined, and INIT is the least awful choice given KVM's ABI. So, double down on stuffing INIT on SHUTDOWN, and force the vCPU out of SMM to avoid any weirdness (and the WARN). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [sean: massage changelog, make it clear this isn't architectural behavior]", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37964", "url": "https://ubuntu.com/security/CVE-2025-37964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Eliminate window where TLB flushes may be inadvertently skipped tl;dr: There is a window in the mm switching code where the new CR3 is set and the CPU should be getting TLB flushes for the new mm. But should_flush_tlb() has a bug and suppresses the flush. Fix it by widening the window where should_flush_tlb() sends an IPI. Long Version: === History === There were a few things leading up to this. First, updating mm_cpumask() was observed to be too expensive, so it was made lazier. But being lazy caused too many unnecessary IPIs to CPUs due to the now-lazy mm_cpumask(). So code was added to cull mm_cpumask() periodically[2]. But that culling was a bit too aggressive and skipped sending TLB flushes to CPUs that need them. So here we are again. === Problem === The too-aggressive code in should_flush_tlb() strikes in this window: \t// Turn on IPIs for this CPU/mm combination, but only \t// if should_flush_tlb() agrees: \tcpumask_set_cpu(cpu, mm_cpumask(next)); \tnext_tlb_gen = atomic64_read(&next->context.tlb_gen); \tchoose_new_asid(next, next_tlb_gen, &new_asid, &need_flush); \tload_new_mm_cr3(need_flush); \t// ^ After 'need_flush' is set to false, IPIs *MUST* \t// be sent to this CPU and not be ignored. this_cpu_write(cpu_tlbstate.loaded_mm, next); \t// ^ Not until this point does should_flush_tlb() \t// become true! should_flush_tlb() will suppress TLB flushes between load_new_mm_cr3() and writing to 'loaded_mm', which is a window where they should not be suppressed. Whoops. === Solution === Thankfully, the fuzzy \"just about to write CR3\" window is already marked with loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in should_flush_tlb() is sufficient to ensure that the CPU is targeted with an IPI. This will cause more TLB flush IPIs. But the window is relatively small and I do not expect this to cause any kind of measurable performance impact. Update the comment where LOADED_MM_SWITCHING is written since it grew yet another user. Peter Z also raised a concern that should_flush_tlb() might not observe 'loaded_mm' and 'is_lazy' in the same order that switch_mm_irqs_off() writes them. Add a barrier to ensure that they are observed in the order they are written.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37971", "url": "https://ubuntu.com/security/CVE-2025-37971", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: bcm2835-camera: Initialise dev in v4l2_dev Commit 42a2f6664e18 (\"staging: vc04_services: Move global g_state to vchiq_state\") changed mmal_init to pass dev->v4l2_dev.dev to vchiq_mmal_init, however nothing iniitialised dev->v4l2_dev, so we got a NULL pointer dereference. Set dev->v4l2_dev.dev during bcm2835_mmal_probe. The device pointer could be passed into v4l2_device_register to set it, however that also has other effects that would need additional changes.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37972", "url": "https://ubuntu.com/security/CVE-2025-37972", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: mtk-pmic-keys - fix possible null pointer dereference In mtk_pmic_keys_probe, the regs parameter is only set if the button is parsed in the device tree. However, on hardware where the button is left floating, that node will most likely be removed not to enable that input. In that case the code will try to dereference a null pointer. Let's use the regs struct instead as it is defined for all supported platforms. Note that it is ok setting the key reg even if that latter is disabled as the interrupt won't be enabled anyway.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37959", "url": "https://ubuntu.com/security/CVE-2025-37959", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be \"misused\" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows (1) the packet path from the host's XFRM layer to the container's XFRM layer where it's dropped and (2) the number of active skb extensions at each function. NETNS MARK IFACE TUPLE FUNC 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive .active_extensions = (__u8)2, [...] 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core .active_extensions = (__u8)2, [...] 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY) .active_extensions = (__u8)2, In this case, there are no XFRM policies in the container's network namespace so the drop is unexpected. When we decrypt the IPsec packet, the XFRM state used for decryption is set in the skb extensions. This information is preserved across the netns switch. When we reach the XFRM policy check in the container's netns, __xfrm_policy_check drops the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM policy can't be found that matches the (host-side) XFRM state used for decryption. This patch fixes this by scrubbing the packet when using bpf_redirect_peer, as is done on typical netns switches via veth devices except skb->mark and skb->tstamp are not zeroed.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37961", "url": "https://ubuntu.com/security/CVE-2025-37961", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 (\"ipvs: do not use random local source address for tunnels\") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4167 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline] __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef) Hardware name: Google Google Compute Engi ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37993", "url": "https://ubuntu.com/security/CVE-2025-37993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe The spin lock tx_handling_spinlock in struct m_can_classdev is not being initialized. This leads the following spinlock bad magic complaint from the kernel, eg. when trying to send CAN frames with cansend from can-utils: | BUG: spinlock bad magic on CPU#0, cansend/95 | lock: 0xff60000002ec1010, .magic: 00000000, .owner: /-1, .owner_cpu: 0 | CPU: 0 UID: 0 PID: 95 Comm: cansend Not tainted 6.15.0-rc3-00032-ga79be02bba5c #5 NONE | Hardware name: MachineWare SIM-V (DT) | Call Trace: | [] dump_backtrace+0x1c/0x24 | [] show_stack+0x28/0x34 | [] dump_stack_lvl+0x4a/0x68 | [] dump_stack+0x14/0x1c | [] spin_dump+0x62/0x6e | [] do_raw_spin_lock+0xd0/0x142 | [] _raw_spin_lock_irqsave+0x20/0x2c | [] m_can_start_xmit+0x90/0x34a | [] dev_hard_start_xmit+0xa6/0xee | [] sch_direct_xmit+0x114/0x292 | [] __dev_queue_xmit+0x3b0/0xaa8 | [] can_send+0xc6/0x242 | [] raw_sendmsg+0x1a8/0x36c | [] sock_write_iter+0x9a/0xee | [] vfs_write+0x184/0x3a6 | [] ksys_write+0xa0/0xc0 | [] __riscv_sys_write+0x14/0x1c | [] do_trap_ecall_u+0x168/0x212 | [] handle_exception+0x146/0x152 Initializing the spin lock in m_can_class_allocate_dev solves that problem.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37955", "url": "https://ubuntu.com/security/CVE-2025-37955", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() The selftests added to our CI by Bui Quang Minh recently reveals that there is a mem leak on the error path of virtnet_xsk_pool_enable(): unreferenced object 0xffff88800a68a000 (size 2048): comm \"xdp_helper\", pid 318, jiffies 4294692778 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): __kvmalloc_node_noprof+0x402/0x570 virtnet_xsk_pool_enable+0x293/0x6a0 (drivers/net/virtio_net.c:5882) xp_assign_dev+0x369/0x670 (net/xdp/xsk_buff_pool.c:226) xsk_bind+0x6a5/0x1ae0 __sys_bind+0x15e/0x230 __x64_sys_bind+0x72/0xb0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37962", "url": "https://ubuntu.com/security/CVE-2025-37962", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leak in parse_lease_state() The previous patch that added bounds check for create lease context introduced a memory leak. When the bounds check fails, the function returns NULL without freeing the previously allocated lease_ctx_info structure. This patch fixes the issue by adding kfree(lreq) before returning NULL in both boundary check cases.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37998", "url": "https://ubuntu.com/security/CVE-2025-37998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37952", "url": "https://ubuntu.com/security/CVE-2025-37952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix UAF in __close_file_table_ids A use-after-free is possible if one thread destroys the file via __ksmbd_close_fd while another thread holds a reference to it. The existing checks on fp->refcount are not sufficient to prevent this. The fix takes ft->lock around the section which removes the file from the file table. This prevents two threads acquiring the same file pointer via __close_file_table_ids, as well as the other functions which retrieve a file from the IDR and which already use this same lock.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37947", "url": "https://ubuntu.com/security/CVE-2025-37947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37956", "url": "https://ubuntu.com/security/CVE-2025-37956", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent rename with empty string Client can send empty newname string to ksmbd server. It will cause a kernel oops from d_alloc. This patch return the error when attempting to rename a file or directory with an empty new name string.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37973", "url": "https://ubuntu.com/security/CVE-2025-37973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37999", "url": "https://ubuntu.com/security/CVE-2025-37999", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() If bio_add_folio() fails (because it is full), erofs_fileio_scan_folio() needs to submit the I/O request via erofs_fileio_rq_submit() and allocate a new I/O request with an empty `struct bio`. Then it retries the bio_add_folio() call. However, at this point, erofs_onlinefolio_split() has already been called which increments `folio->private`; the retry will call erofs_onlinefolio_split() again, but there will never be a matching erofs_onlinefolio_end() call. This leaves the folio locked forever and all waiters will be stuck in folio_wait_bit_common(). This bug has been added by commit ce63cb62d794 (\"erofs: support unencoded inodes for fileio\"), but was practically unreachable because there was room for 256 folios in the `struct bio` - until commit 9f74ae8c9ac9 (\"erofs: shorten bvecs[] for file-backed mounts\") which reduced the array capacity to 16 folios. It was now trivial to trigger the bug by manually invoking readahead from userspace, e.g.: posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED); This should be fixed by invoking erofs_onlinefolio_split() only after bio_add_folio() has succeeded. This is safe: asynchronous completions invoking erofs_onlinefolio_end() will not unlock the folio because erofs_fileio_scan_folio() is still holding a reference to be released by erofs_onlinefolio_end() at the end.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-28.28 -proposed tracker (LP: #2117649)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.07.14)", "", " * Dell AIO backlight is not working, dell_uart_backlight module is missing", " (LP: #2083800)", " - [Config] enable CONFIG_DELL_UART_BACKLIGHT", "", " * integrated I219-LM network adapter appears to be running too fast, causing", " synchronization issues when using the I219-LM PTP feature (LP: #2116072)", " - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13", "", " * Audio broken on ThinkPad X13s (LP: #2115898)", " - SAUCE: Revert \"UBUNTU: SAUCE: Change: cracking sound fix\"", "", " * Ubuntu 24.04+ arm64: screen resolution fixed to 1024x768 with last kernel", " update (LP: #2115068)", " - [Config] Replace FB_HYPERV with DRM_HYPERV", "", " * [SRU][HPE 24.04] Patch Request for HPE iLO7 VGA device for Gen12 Servers", " (LP: #2114516)", " - drm/mgag200: Added support for the new device G200eH5", "", " * A process exiting with an open /dev/snapshot fd causes a NULL pointer", " dereference caught by ubuntu_stress_smoke_test:sut-scan (LP: #2113990)", " - libfs: export find_next_child()", " - efivarfs: support freeze/thaw", "", " * [SRU] Add support for new hotkey of F9 on Thinkpad X9 (LP: #2115022)", " - platform/x86: thinkpad-acpi: Add support for new hotkey for camera", " shutter switch", "", " * [SRU] Fix GT0: Engine reset when suspend on Intel LNL (LP: #2114697)", " - drm/xe/sched: stop re-submitting signalled jobs", "", " * CVE-2025-38056", " - devres: Introduce devm_kmemdup_array()", " - ASoC: SOF: Intel: hda: Fix UAF when reloading module", "", " * Handle IOMMU IVRS entries with mismatched UID on AMD Strix or newer", " platforms (LP: #2115174)", " - iommu/amd: Allow matching ACPI HID devices without matching UIDs", "", " * [UBUNTU 22.04] kernel: Fix z17 elf platform recognition (LP: #2114450)", " - s390: Add z17 elf platform", "", " * [UBUNTU 24.04] Kernel: Add CPUMF extended counter set for z17", " (LP: #2114258)", " - s390/cpumf: Update CPU Measurement facility extended counter set support", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266)", " - arm64: dts: rockchip: Assign RT5616 MCLK rate on rk3588-friendlyelec-", " cm3588", " - fs/xattr.c: fix simple_xattr_list to always include security.* xattrs", " - drivers/platform/x86/amd: pmf: Check for invalid sideloaded Smart PC", " Policies", " - drivers/platform/x86/amd: pmf: Check for invalid Smart PC Policies", " - x86/amd_node, platform/x86/amd/hsmp: Have HSMP use SMN through AMD_NODE", " - platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive", " drivers", " - arm64: dts: rockchip: fix Sige5 RTC interrupt pin", " - riscv: dts: sophgo: fix DMA data-width configuration for CV18xx", " - binfmt_elf: Move brk for static PIE even if ASLR disabled", " - platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie", " 14XA (GX4HRXL)", " - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection", " - arm64: dts: imx8mp-var-som: Fix LDO5 shutdown causing SD card timeout", " - cgroup/cpuset: Extend kthread_is_per_cpu() check to all", " PF_NO_SETAFFINITY tasks", " - tracing: fprobe: Fix RCU warning message in list traversal", " - tracing: probes: Fix a possible race in trace_probe_log APIs", " - tpm: tis: Double the timeout B to 4s", " - iio: adc: ad7606: move the software mode configuration", " - iio: adc: ad7606: move software functions into common file", " - HID: thrustmaster: fix memory leak in thrustmaster_interrupts()", " - spi: loopback-test: Do not split 1024-byte hexdumps", " - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags", " - drm/meson: Use 1000ULL when operating with mode->clock", " - tools/net/ynl: ethtool: fix crash when Hardware Clock info is missing", " - tests/ncdevmem: Fix double-free of queue array", " - net: mctp: Ensure keys maintain only one ref to corresponding dev", " - ALSA: seq: Fix delivery of UMP events to group ports", " - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info", " - net: cadence: macb: Fix a possible deadlock in macb_halt_tx.", " - net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING", " - nvme-pci: make nvme_pci_npages_prp() __always_inline", " - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable", " - ALSA: sh: SND_AICA should depend on SH_DMA_API", " - net: dsa: b53: prevent standalone from trying to forward to other ports", " - vsock/test: Fix occasional failure in SIOCOUTQ tests", " - qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd()", " - octeontx2-pf: Fix ethtool support for SDP representors", " - drm/xe: Save CTX_TIMESTAMP mmio value instead of LRC value", " - netlink: specs: tc: fix a couple of attribute names", " - netlink: specs: tc: all actions are indexed arrays", " - octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy", " - net: ethernet: mtk_eth_soc: fix typo for declaration MT7988 ESW", " capability", " - octeontx2-af: Fix CGX Receive counters", " - octeontx2-pf: Do not reallocate all ntuple filters", " - tsnep: fix timestamping with a stacked DSA driver", " - ublk: fix dead loop when canceling io command", " - NFSv4/pnfs: Reset the layout state after a layoutreturn", " - dmaengine: Revert \"dmaengine: dmatest: Fix dmatest waiting less when", " interrupted\"", " - Revert \"kbuild, rust: use -fremap-path-prefix to make paths relative\"", " - udf: Make sure i_lenExtents is uptodate on inode eviction", " - HID: amd_sfh: Fix SRA sensor when it's the only sensor", " - LoongArch: Prevent cond_resched() occurring within kernel-fpu", " - LoongArch: Move __arch_cpu_idle() to .cpuidle.text section", " - LoongArch: Save and restore CSR.CNTC for hibernation", " - LoongArch: Fix MAX_REG_OFFSET calculation", " - LoongArch: uprobes: Remove user_{en,dis}able_single_step()", " - LoongArch: uprobes: Remove redundant code about resume_era", " - btrfs: fix discard worker infinite loop after disabling discard", " - btrfs: fix folio leak in submit_one_async_extent()", " - btrfs: add back warning for mount option commit values exceeding 300", " - Revert \"drm/amd/display: Hardware cursor changes color when switched to", " software cursor\"", " - drm/tiny: panel-mipi-dbi: Use drm_client_setup_with_fourcc()", " - drm/amdgpu: fix incorrect MALL size for GFX1151", " - drm/amd/display: Correct the reply value when AUX write incomplete", " - drm/amd/display: Avoid flooding unnecessary info messages", " - MAINTAINERS: Update Alexey Makhalov's email address", " - gpio: pca953x: fix IRQ storm on system wake up", " - ACPI: PPTT: Fix processor subtable walk", " - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2()", " - ALSA: usb-audio: Add sample rate quirk for Audioengine D1", " - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera", " - dma-buf: insert memory barrier before updating num_fences", " - arm64: dts: amlogic: dreambox: fix missing clkc_audio node", " - arm64: dts: rockchip: Allow Turing RK1 cooling fan to spin down", " - arm64: dts: rockchip: Remove overdrive-mode OPPs from RK3588J SoC dtsi", " - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages", " - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array", " - hv_netvsc: Remove rmsg_pgcnt", " - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges", " - Drivers: hv: vmbus: Remove vmbus_sendpacket_pagebuffer()", " - kbuild: Disable -Wdefault-const-init-unsafe", " - i2c: designware: Fix an error handling path in i2c_dw_pci_probe()", " - ftrace: Fix preemption accounting for stacktrace trigger command", " - ftrace: Fix preemption accounting for stacktrace filter command", " - x86/sev: Do not touch VMSA pages during SNP guest memory kdump", " - x86/sev: Make sure pages are not skipped during kdump", " - tracing: samples: Initialize trace_array_printk() with the correct", " function", " - phy: Fix error handling in tegra_xusb_port_init", " - net: dsa: microchip: let phylink manage PHY EEE configuration on KSZ", " switches", " - net: phy: micrel: remove KSZ9477 EEE quirks now handled by phylink", " - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind", " - phy: renesas: rcar-gen3-usb2: Set timing registers only once", " - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer", " - smb: client: fix memory leak during error handling for POSIX mkdir", " - spi: tegra114: Use value to check for invalid delays", " - tpm: Mask TPM RC in tpm2_start_auth_session()", " - wifi: mt76: mt7925: fix missing hdr_trans_tlv command for broadcast wtbl", " - ring-buffer: Fix persistent buffer when commit page is the reader page", " - net: qede: Initialize qede_ll_ops with designated initializer", " - io_uring/memmap: don't use page_address() on a highmem page", " - io_uring/uring_cmd: fix hybrid polling initialization issue", " - mm: hugetlb: fix incorrect fallback for subpool", " - mm: userfaultfd: correct dirty flags set for both present and swap pte", " - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure", " instead of a local copy", " - dmaengine: idxd: fix memory leak in error handling path of", " idxd_setup_wqs", " - dmaengine: idxd: fix memory leak in error handling path of", " idxd_setup_engines", " - dmaengine: idxd: fix memory leak in error handling path of", " idxd_setup_groups", " - dmaengine: idxd: Add missing cleanup for early error out in", " idxd_setup_internals", " - dmaengine: idxd: Add missing cleanups in cleanup internals", " - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove", " call", " - dmaengine: idxd: fix memory leak in error handling path of", " idxd_pci_probe", " - accel/ivpu: Use workqueue for IRQ handling", " - accel/ivpu: Dump only first MMU fault from single context", " - accel/ivpu: Move parts of MMU event IRQ handling to thread handler", " - accel/ivpu: Fix missing MMU events from reserved SSID", " - accel/ivpu: Fix missing MMU events if file_priv is unbound", " - accel/ivpu: Flush pending jobs of device's workqueues", " - drm/xe/gsc: do not flush the GSC worker from the reset path", " - perf tools: Fix build error for LoongArch", " - phy: tegra: xusb: remove a stray unlock", " - Linux 6.14.8", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38008", " - mm/page_alloc: fix race condition in unaccepted memory handling", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38014", " - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38015", " - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38005", " - dmaengine: ti: k3-udma: Add missing locking", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38009", " - wifi: mt76: disable napi on driver removal", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38010", " - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38011", " - drm/amdgpu: csa unmap use uninterruptible lock", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38016", " - HID: bpf: abort dispatch if device destroyed", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38012", " - sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38018", " - net/tls: fix kernel panic when alloc_page failed", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38019", " - mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38013", " - wifi: mac80211: Set n_channels after allocating struct", " cfg80211_scan_request", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38002", " - io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo()", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38027", " - regulator: max20086: fix invalid memory access", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38020", " - net/mlx5e: Disable MACsec offload for uplink representor profile", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38021", " - drm/amd/display: Fix null check of pipe_ctx->plane_state for", " update_dchubp_dpp", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38006", " - net: mctp: Don't access ifa_index when missing", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-37992", " - net_sched: Flush gso_skb list too during ->change()", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38022", " - RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\"", " problem", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38028", " - NFS/localio: Fix a race in nfs_local_open_fh()", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38023", " - nfs: handle failure of nfs_get_lock_context in unlock path", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38007", " - HID: uclogic: Add NULL check in uclogic_input_configured()", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38024", " - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38025", " - iio: adc: ad7606: check for NULL before calling sw_mode_config()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252)", " - dm: add missing unlock on in dm_keyslot_evict()", " - Revert \"btrfs: canonicalize the device path before adding it\"", " - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2", " - firmware: arm_scmi: Fix timeout checks on polling path", " - can: mcan: m_can_class_unregister(): fix order of unregistration calls", " - vfio/pci: Align huge faults to order", " - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls", " - can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls", " - s390/entry: Fix last breaking event handling in case of stack corruption", " - SAUCE: Revert \"sch_htb: make htb_deactivate() idempotent\"", " - sch_htb: make htb_deactivate() idempotent", " - virtio-net: don't re-enable refill work too early when NAPI is disabled", " - gre: Fix again IPv6 link-local address generation.", " - net: ethernet: mtk_eth_soc: reset all TX queues on DMA free", " - net: ethernet: mtk_eth_soc: do not reset PSE when setting FE", " - can: mcp251xfd: fix TDC setting for low data bit rates", " - can: gw: fix RCU/BH usage in cgw_create_job()", " - wifi: mac80211: fix the type of status_code for negotiated TID to Link", " Mapping", " - ice: use DSN instead of PCI BDF for ice_adapter index", " - erofs: ensure the extra temporary copy is valid for shortened bvecs", " - net: dsa: b53: allow leaky reserved multicast", " - net: dsa: b53: keep CPU port always tagged again", " - net: dsa: b53: fix clearing PVID of a port", " - net: dsa: b53: fix flushing old pvid VLAN on pvid change", " - net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave", " - net: dsa: b53: always rejoin default untagged VLAN on bridge leave", " - net: dsa: b53: do not allow to configure VLAN 0", " - net: dsa: b53: do not program vlans when vlan filtering is off", " - net: dsa: b53: fix toggling vlan_filtering", " - net: dsa: b53: fix learning on VLAN unaware bridges", " - net: dsa: b53: do not set learning and unicast/multicast on up", " - fbnic: Fix initialization of mailbox descriptor rings", " - fbnic: Gate AXI read/write enabling on FW mailbox", " - fbnic: Actually flush_tx instead of stalling out", " - fbnic: Cleanup handling of completions", " - fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready", " - fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context", " - fbnic: Do not allow mailbox to toggle to ready outside", " fbnic_mbx_poll_tx_ready", " - net: export a helper for adding up queue stats", " - virtio-net: fix total qstat values", " - Input: cyttsp5 - ensure minimum reset pulse width", " - Input: cyttsp5 - fix power control issue on wakeup", " - Input: xpad - fix Share button on Xbox One controllers", " - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller", " - Input: xpad - fix two controller table values", " - Input: synaptics - enable InterTouch on Dynabook Portege X30-D", " - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G", " - Input: synaptics - enable InterTouch on Dell Precision M3800", " - Input: synaptics - enable SMBus for HP Elitebook 850 G1", " - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5", " - rust: clean Rust 1.88.0's `unnecessary_transmutes` lint", " - objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0", " - rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros`", " configuration", " - uio_hv_generic: Fix sysfs creation path for ring buffer", " - staging: iio: adc: ad7816: Correct conditional logic for store mode", " - staging: axis-fifo: Remove hardware resets for user errors", " - staging: axis-fifo: Correct handling of tx_fifo_depth for size", " validation", " - mm: fix folio_pte_batch() on XEN PV", " - mm: vmalloc: support more granular vrealloc() sizing", " - mm/userfaultfd: fix uninitialized output field for -EAGAIN race", " - selftests/mm: compaction_test: support platform with huge mount of", " memory", " - selftests/mm: fix a build failure on powerpc", " - selftests/mm: fix build break when compiling pkey_util.c", " - KVM: x86/mmu: Prevent installing hugepages when mem attributes are", " changing", " - drm/amd/display: Shift DMUB AUX reply command if necessary", " - io_uring: ensure deferred completions are flushed for multishot", " - iio: adc: ad7768-1: Fix insufficient alignment of timestamp.", " - iio: adc: ad7266: Fix potential timestamp alignment issue.", " - iio: adc: ad7606: fix serial register access", " - iio: adc: rockchip: Fix clock initialization sequence", " - iio: adis16201: Correct inclinometer channel resolution", " - iio: chemical: sps30: use aligned_s64 for timestamp", " - iio: chemical: pms7003: use aligned_s64 for timestamp", " - iio: hid-sensor-prox: Restore lost scale assignments", " - iio: hid-sensor-prox: support multi-channel SCALE calculation", " - iio: hid-sensor-prox: Fix incorrect OFFSET calculation", " - iio: imu: inv_mpu6050: align buffer for timestamp", " - iio: pressure: mprls0025pa: use aligned_s64 for timestamp", " - Revert \"drm/amd: Stop evicting resources on APUs in suspend\"", " - drm/xe: Add page queue multiplier", " - drm/amdgpu: fix pm notifier handling", " - drm/amdgpu/vcn: using separate VCN1_AON_SOC offset", " - drm/amd/display: Fix the checking condition in dmub aux handling", " - drm/amd/display: Remove incorrect checking in dmub aux handler", " - drm/amd/display: Fix wrong handling for AUX_DEFER case", " - drm/amd/display: Copy AUX read reply data whenever length > 0", " - xhci: dbc: Avoid event polling busyloop if pending rx transfers are", " inactive.", " - usb: uhci-platform: Make the clock really optional", " - xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it", " - accel/ivpu: Increase state dump msg timeout", " - arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to", " prevent wrong idmap generation", " - clocksource/i8253: Use raw_spinlock_irqsave() in", " clockevent_i8253_disable()", " - x86/microcode: Consolidate the loader enablement checking", " - ocfs2: fix the issue with discontiguous allocation in the global_bitmap", " - ocfs2: switch osb->disable_recovery to enum", " - ocfs2: implement handshaking with ocfs2 recovery thread", " - ocfs2: stop quota recovery before disabling quotas", " - usb: dwc3: gadget: Make gadget_wakeup asynchronous", " - usb: cdnsp: Fix issue with resuming from L1", " - usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version", " - usb: gadget: f_ecm: Add get_status callback", " - usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN", " - usb: gadget: Use get_status callback to set remote wakeup capability", " - usb: host: tegra: Prevent host controller crash when OTG port is used", " - usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs", " - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition", " - USB: usbtmc: use interruptible sleep in usbtmc_read", " - usb: usbtmc: Fix erroneous get_stb ioctl error returns", " - usb: usbtmc: Fix erroneous wait_srq ioctl return", " - usb: usbtmc: Fix erroneous generic_read ioctl return", " - iio: imu: bmi270: fix initial sampling frequency configuration", " - iio: accel: adxl367: fix setting odr for activity time update", " - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer.", " - iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64", " - iio: adc: dln2: Use aligned_s64 for timestamp", " - timekeeping: Prevent coarse clocks going backwards", " - accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation", " - accel/ivpu: Correct mutex unlock order in job submission", " - MIPS: Fix MAX_REG_OFFSET", " - riscv: misaligned: Add handling for ZCB instructions", " - loop: factor out a loop_assign_backing_file helper", " - loop: Add sanity check for read/write_iter", " - drm/panel: simple: Update timings for AUO G101EVN010", " - nvme: unblock ctrl state transition for firmware update", " - riscv: misaligned: factorize trap handling", " - riscv: misaligned: enable IRQs while handling misaligned accesses", " - riscv: Disallow PR_GET_TAGGED_ADDR_CTRL without Supm", " - drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs", " - drm/xe: Release force wake first then runtime power", " - io_uring/sqpoll: Increase task_work submission batch size", " - do_umount(): add missing barrier before refcount checks in sync case", " - rust: allow Rust 1.87.0's `clippy::ptr_eq` lint", " - rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint", " - io_uring: always arm linked timeouts prior to issue", " - Bluetooth: btmtk: Remove the resetting step before downloading the fw", " - mm: page_alloc: don't steal single pages from biggest buddy", " - mm: page_alloc: speed up fallbacks in rmqueue_bulk()", " - arm64: insn: Add support for encoding DSB", " - arm64: proton-pack: Expose whether the platform is mitigated by firmware", " - arm64: proton-pack: Expose whether the branchy loop k value", " - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation", " - x86/bpf: Call branch history clearing sequence on exit", " - x86/bpf: Add IBHF call at end of classic BPF", " - x86/bhi: Do not set BHI_DIS_S in 32-bit mode", " - Documentation: x86/bugs/its: Add ITS documentation", " - x86/its: Enumerate Indirect Target Selection (ITS) bug", " - x86/its: Add support for ITS-safe indirect thunk", " - x86/its: Add support for ITS-safe return thunk", " - x86/its: Enable Indirect Target Selection mitigation", " - [Config] enable MITIGATION_ITS", " - x86/its: Add \"vmexit\" option to skip mitigation on some CPUs", " - x86/its: Add support for RSB stuffing mitigation", " - x86/its: Align RETs in BHB clear sequence to avoid thunking", " - x86/ibt: Keep IBT disabled during alternative patching", " - x86/its: Use dynamic thunks for indirect branches", " - selftest/x86/bugs: Add selftests for ITS", " - x86/its: Fix build errors when CONFIG_MODULES=n", " - x86/its: FineIBT-paranoid vs ITS", " - Linux 6.14.7", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37963", " - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37948", " - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37994", " - usb: typec: ucsi: displayport: Fix NULL pointer access", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37967", " - usb: typec: ucsi: displayport: Fix deadlock", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37950", " - ocfs2: fix panic in failed foilio allocation", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37995", " - module: ensure that kobject_put() is safe for module type kobjects", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37960", " - memblock: Accept allocated memory before use in memblock_double_array()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37996", " - KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37949", " - xenbus: Use kref to track req lifetime", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37954", " - smb: client: Avoid race in open_cached_dir with lease breaks", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37965", " - drm/amd/display: Fix invalid context error in dml helper", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37951", " - drm/v3d: Add job to pending list if the reset was skipped", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37968", " - iio: light: opt3001: fix deadlock due to concurrent flag access", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37969", " - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37970", " - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37966", " - riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37957", " - KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37958", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37964", " - x86/mm: Eliminate window where TLB flushes may be inadvertently skipped", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37971", " - staging: bcm2835-camera: Initialise dev in v4l2_dev", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37972", " - Input: mtk-pmic-keys - fix possible null pointer dereference", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37959", " - bpf: Scrub packet on bpf_redirect_peer", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37961", " - ipvs: fix uninit-value for saddr in do_output_route4", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37993", " - can: m_can: m_can_class_allocate_dev(): initialize spin lock on device", " probe", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37955", " - virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37962", " - ksmbd: fix memory leak in parse_lease_state()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37998", " - openvswitch: Fix unsafe attribute parsing in output_userspace()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37952", " - ksmbd: Fix UAF in __close_file_table_ids", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37947", " - ksmbd: prevent out-of-bounds stream writes by validating *pos", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37956", " - ksmbd: prevent rename with empty string", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37973", " - wifi: cfg80211: fix out-of-bounds access during multi-link element", " defragmentation", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37999", " - fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()", "", " * Creating a VXLAN interface with a Fan mapping causes a NULL pointer", " dereference caught by ubuntu_fan_smoke_test:sut-scan (LP: #2113992)", " - SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP attribute ID", "", " * [Regression Updates] \"PCI: Explicitly put devices into D0 when", " initializing\" breaks pci-pass-through in QEMU/KVM (LP: #2117494)", " - PCI/PM: Set up runtime PM even for devices without PCI PM", "", " * [UBUNTU 25.04] lszcrypt output shows no cards because ap module has to be", " loaded manually (LP: #2116061)", " - [Config] s390: Build ap driver into the kernel", "", " * CVE-2025-38083", " - net_sched: prio: fix a race in prio_tune()", "" ], "package": "linux", "version": "6.14.0-28.28", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2117649, 1786013, 2083800, 2116072, 2115898, 2115068, 2114516, 2113990, 2115022, 2114697, 2115174, 2114450, 2114258, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2113992, 2117494, 2116061 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:01:59 +0200" }, { "cves": [ { "cve": "CVE-2025-37946", "url": "https://ubuntu.com/security/CVE-2025-37946", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 (\"s390/pci: introduce lock to synchronize state of zpci_dev's\") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put().", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37974", "url": "https://ubuntu.com/security/CVE-2025-37974", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix missing check for zpci_create_device() error return The zpci_create_device() function returns an error pointer that needs to be checked before dereferencing it as a struct zpci_dev pointer. Add the missing check in __clp_add() where it was missed when adding the scan_list in the fixed commit. Simply not adding the device to the scan list results in the previous behavior.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37903", "url": "https://ubuntu.com/security/CVE-2025-37903", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10 [ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233 [ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024 [ 66.776186] Workqueue: events event_property_validate [amdgpu] [ 66.776494] Call Trace: [ 66.776496] [ 66.776497] dump_stack_lvl+0x70/0xa0 [ 66.776504] print_report+0x175/0x555 [ 66.776507] ? __virt_addr_valid+0x243/0x450 [ 66.776510] ? kasan_complete_mode_report_info+0x66/0x1c0 [ 66.776515] kasan_report+0xeb/0x1c0 [ 66.776518] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776819] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777121] __asan_report_load4_noabort+0x14/0x20 [ 66.777124] event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777342] ? __lock_acquire+0x6b40/0x6b40 [ 66.777347] ? enable_assr+0x250/0x250 [amdgpu] [ 66.777571] process_one_work+0x86b/0x1510 [ 66.777575] ? pwq_dec_nr_in_flight+0xcf0/0xcf0 [ 66.777578] ? assign_work+0x16b/0x280 [ 66.777580] ? lock_is_held_type+0xa3/0x130 [ 66.777583] worker_thread+0x5c0/0xfa0 [ 66.777587] ? process_one_work+0x1510/0x1510 [ 66.777588] kthread+0x3a2/0x840 [ 66.777591] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777594] ? trace_hardirqs_on+0x4f/0x60 [ 66.777597] ? _raw_spin_unlock_irq+0x27/0x60 [ 66.777599] ? calculate_sigpending+0x77/0xa0 [ 66.777602] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777605] ret_from_fork+0x40/0x90 [ 66.777607] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777609] ret_from_fork_asm+0x11/0x20 [ 66.777614] [ 66.777643] Allocated by task 10: [ 66.777646] kasan_save_stack+0x39/0x60 [ 66.777649] kasan_save_track+0x14/0x40 [ 66.777652] kasan_save_alloc_info+0x37/0x50 [ 66.777655] __kasan_kmalloc+0xbb/0xc0 [ 66.777658] __kmalloc_cache_noprof+0x1c8/0x4b0 [ 66.777661] dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu] [ 66.777880] drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper] [ 66.777892] drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper] [ 66.777901] drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper] [ 66.777909] drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper] [ 66.777917] process_one_work+0x86b/0x1510 [ 66.777919] worker_thread+0x5c0/0xfa0 [ 66.777922] kthread+0x3a2/0x840 [ 66.777925] ret_from_fork+0x40/0x90 [ 66.777927] ret_from_fork_asm+0x11/0x20 [ 66.777932] Freed by task 1713: [ 66.777935] kasan_save_stack+0x39/0x60 [ 66.777938] kasan_save_track+0x14/0x40 [ 66.777940] kasan_save_free_info+0x3b/0x60 [ 66.777944] __kasan_slab_free+0x52/0x70 [ 66.777946] kfree+0x13f/0x4b0 [ 66.777949] dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu] [ 66.778179] drm_connector_free+0x7d/0xb0 [ 66.778184] drm_mode_object_put.part.0+0xee/0x160 [ 66.778188] drm_mode_object_put+0x37/0x50 [ 66.778191] drm_atomic_state_default_clear+0x220/0xd60 [ 66.778194] __drm_atomic_state_free+0x16e/0x2a0 [ 66.778197] drm_mode_atomic_ioctl+0x15ed/0x2ba0 [ 66.778200] drm_ioctl_kernel+0x17a/0x310 [ 66.778203] drm_ioctl+0x584/0xd10 [ 66.778206] amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu] [ 66.778375] __x64_sys_ioctl+0x139/0x1a0 [ 66.778378] x64_sys_call+0xee7/0xfb0 [ 66.778381] ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37904", "url": "https://ubuntu.com/security/CVE-2025-37904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix the inode leak in btrfs_iget() [BUG] There is a bug report that a syzbot reproducer can lead to the following busy inode at unmount time: BTRFS info (device loop1): last unmount of filesystem 1680000e-3c1e-4c46-84b6-56bd3909af50 VFS: Busy inodes after unmount of loop1 (btrfs) ------------[ cut here ]------------ kernel BUG at fs/super.c:650! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 48168 Comm: syz-executor Not tainted 6.15.0-rc2-00471-g119009db2674 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:generic_shutdown_super+0x2e9/0x390 fs/super.c:650 Call Trace: kill_anon_super+0x3a/0x60 fs/super.c:1237 btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2099 deactivate_locked_super+0xbe/0x1a0 fs/super.c:473 deactivate_super fs/super.c:506 [inline] deactivate_super+0xe2/0x100 fs/super.c:502 cleanup_mnt+0x21f/0x440 fs/namespace.c:1435 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x269/0x290 kernel/entry/common.c:218 do_syscall_64+0xd4/0x250 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSE] When btrfs_alloc_path() failed, btrfs_iget() directly returned without releasing the inode already allocated by btrfs_iget_locked(). This results the above busy inode and trigger the kernel BUG. [FIX] Fix it by calling iget_failed() if btrfs_alloc_path() failed. If we hit error inside btrfs_read_locked_inode(), it will properly call iget_failed(), so nothing to worry about. Although the iget_failed() cleanup inside btrfs_read_locked_inode() is a break of the normal error handling scheme, let's fix the obvious bug and backport first, then rework the error handling later.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37905", "url": "https://ubuntu.com/security/CVE-2025-37905", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release methods upon devices destruction. As a consequence, one of the structures that is not freed properly upon destruction is the internal struct device_private dev->p populated by the drivers subsystem core. KMemleak detects this situation since loading/unloding some SCMI driver causes related devices to be created/destroyed without calling any device_release method. unreferenced object 0xffff00000f583800 (size 512): comm \"insmod\", pid 227, jiffies 4294912190 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff ........`6...... backtrace (crc 114e2eed): kmemleak_alloc+0xbc/0xd8 __kmalloc_cache_noprof+0x2dc/0x398 device_add+0x954/0x12d0 device_register+0x28/0x40 __scmi_device_create.part.0+0x1bc/0x380 scmi_device_create+0x2d0/0x390 scmi_create_protocol_devices+0x74/0xf8 scmi_device_request_notifier+0x1f8/0x2a8 notifier_call_chain+0x110/0x3b0 blocking_notifier_call_chain+0x70/0xb0 scmi_driver_register+0x350/0x7f0 0xffff80000a3b3038 do_one_initcall+0x12c/0x730 do_init_module+0x1dc/0x640 load_module+0x4b20/0x5b70 init_module_from_file+0xec/0x158 $ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0 device_add+0x954/0x12d0: kmalloc_noprof at include/linux/slab.h:901 (inlined by) kzalloc_noprof at include/linux/slab.h:1037 (inlined by) device_private_init at drivers/base/core.c:3510 (inlined by) device_add at drivers/base/core.c:3561 Balance device refcount by issuing a put_device() on devices found via device_find_child().", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37906", "url": "https://ubuntu.com/security/CVE-2025-37906", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd ublk_cancel_cmd() calls io_uring_cmd_done() to complete uring_cmd, but we may have scheduled task work via io_uring_cmd_complete_in_task() for dispatching request, then kernel crash can be triggered. Fix it by not trying to canceling the command if ublk block request is started.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37907", "url": "https://ubuntu.com/security/CVE-2025-37907", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix locking order in ivpu_job_submit Fix deadlock in job submission and abort handling. When a thread aborts currently executing jobs due to a fault, it first locks the global lock protecting submitted_jobs (#1). After the last job is destroyed, it proceeds to release the related context and locks file_priv (#2). Meanwhile, in the job submission thread, the file_priv lock (#2) is taken first, and then the submitted_jobs lock (#1) is obtained when a job is added to the submitted jobs list. CPU0 CPU1 ---- \t ---- (for example due to a fault) (jobs submissions keep coming) lock(&vdev->submitted_jobs_lock) #1 ivpu_jobs_abort_all() job_destroy() lock(&file_priv->lock) #2 lock(&vdev->submitted_jobs_lock) #1 file_priv_release() lock(&vdev->context_list_lock) lock(&file_priv->lock) #2 This order of locking causes a deadlock. To resolve this issue, change the order of locking in ivpu_job_submit().", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37908", "url": "https://ubuntu.com/security/CVE-2025-37908", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, slab: clean up slab->obj_exts always When memory allocation profiling is disabled at runtime or due to an error, shutdown_mem_profiling() is called: slab->obj_exts which previously allocated remains. It won't be cleared by unaccount_slab() because of mem_alloc_profiling_enabled() not true. It's incorrect, slab->obj_exts should always be cleaned up in unaccount_slab() to avoid following error: [...]BUG: Bad page state in process... .. [...]page dumped because: page still charged to cgroup [andriy.shevchenko@linux.intel.com: fold need_slab_obj_ext() into its only user]", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37933", "url": "https://ubuntu.com/security/CVE-2025-37933", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix host hang issue during device reboot When the host loses heartbeat messages from the device, the driver calls the device-specific ndo_stop function, which frees the resources. If the driver is unloaded in this scenario, it calls ndo_stop again, attempting to free resources that have already been freed, leading to a host hang issue. To resolve this, dev_close should be called instead of the device-specific stop function.dev_close internally calls ndo_stop to stop the network interface and performs additional cleanup tasks. During the driver unload process, if the device is already down, ndo_stop is not called.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37909", "url": "https://ubuntu.com/security/CVE-2025-37909", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37910", "url": "https://ubuntu.com/security/CVE-2025-37910", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations On Adva boards, SMA sysfs store/get operations can call __handle_signal_outputs() or __handle_signal_inputs() while the `irig` and `dcf` pointers are uninitialized, leading to a NULL pointer dereference in __handle_signal() and causing a kernel crash. Adva boards don't use `irig` or `dcf` functionality, so add Adva-specific callbacks `ptp_ocp_sma_adva_set_outputs()` and `ptp_ocp_sma_adva_set_inputs()` that avoid invoking `irig` or `dcf` input/output routines.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37894", "url": "https://ubuntu.com/security/CVE-2025-37894", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT It is possible for a pointer of type struct inet_timewait_sock to be returned from the functions __inet_lookup_established() and __inet6_lookup_established(). This can cause a crash when the returned pointer is of type struct inet_timewait_sock and sock_put() is called on it. The following is a crash call stack that shows sk->sk_wmem_alloc being accessed in sk_free() during the call to sock_put() on a struct inet_timewait_sock pointer. To avoid this issue, use sock_gen_put() instead of sock_put() when sk->sk_state is TCP_TIME_WAIT. mrdump.ko ipanic() + 120 vmlinux notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132 vmlinux atomic_notifier_call_chain(val=0) + 56 vmlinux panic() + 344 vmlinux add_taint() + 164 vmlinux end_report() + 136 vmlinux kasan_report(size=0) + 236 vmlinux report_tag_fault() + 16 vmlinux do_tag_recovery() + 16 vmlinux __do_kernel_fault() + 88 vmlinux do_bad_area() + 28 vmlinux do_tag_check_fault() + 60 vmlinux do_mem_abort() + 80 vmlinux el1_abort() + 56 vmlinux el1h_64_sync_handler() + 124 vmlinux > 0xFFFFFFC080011294() vmlinux __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C) vmlinux __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C) vmlinux arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8 vmlinux sk_free(sk=0xF2FFFF82A8960700) + 28 vmlinux sock_put() + 48 vmlinux tcp6_check_fraglist_gro() + 236 vmlinux tcp6_gro_receive() + 624 vmlinux ipv6_gro_receive() + 912 vmlinux dev_gro_receive() + 1116 vmlinux napi_gro_receive() + 196 ccmni.ko ccmni_rx_callback() + 208 ccmni.ko ccmni_queue_recv_skb() + 388 ccci_dpmaif.ko dpmaif_rxq_push_thread() + 1088 vmlinux kthread() + 268 vmlinux 0xFFFFFFC08001F30C()", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37934", "url": "https://ubuntu.com/security/CVE-2025-37934", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction Actually check if the passed pointers are valid, before writing to them. This also fixes a USBAN warning: UBSAN: invalid-load in ../sound/soc/fsl/imx-card.c:687:25 load of value 255 is not a valid value for type '_Bool' This is because playback_only is uninitialized and is not written to, as the playback-only property is absent.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37911", "url": "https://ubuntu.com/security/CVE-2025-37911", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45): __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] ethtool_get_dump_data+0xdc/0x1a0 __dev_ethtool+0xa1e/0x1af0 dev_ethtool+0xa8/0x170 dev_ioctl+0x1b5/0x580 sock_do_ioctl+0xab/0xf0 sock_ioctl+0x1ce/0x2e0 __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x78/0x80 ... This happens when copying the coredump segment list in bnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command. The info->dest_buf buffer is allocated based on the number of coredump segments returned by the FW. The segment list is then DMA'ed by the FW and the length of the DMA is returned by FW. The driver then copies this DMA'ed segment list to info->dest_buf. In some cases, this DMA length may exceed the info->dest_buf length and cause the above BUG condition. Fix it by capping the copy length to not exceed the length of info->dest_buf. The extra DMA data contains no useful information. This code path is shared for the HWRM_DBG_COREDUMP_LIST and the HWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different for these 2 FW commands. To simplify the logic, we need to move the line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE up, so that the new check to cap the copy length will work for both commands.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37895", "url": "https://ubuntu.com/security/CVE-2025-37895", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix error handling path in bnxt_init_chip() WARN_ON() is triggered in __flush_work() if bnxt_init_chip() fails because we call cancel_work_sync() on dim work that has not been initialized. WARNING: CPU: 37 PID: 5223 at kernel/workqueue.c:4201 __flush_work.isra.0+0x212/0x230 The driver relies on the BNXT_STATE_NAPI_DISABLED bit to check if dim work has already been cancelled. But in the bnxt_open() path, BNXT_STATE_NAPI_DISABLED is not set and this causes the error path to think that it needs to cancel the uninitalized dim work. Fix it by setting BNXT_STATE_NAPI_DISABLED during initialization. The bit will be cleared when we enable NAPI and initialize dim work.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37935", "url": "https://ubuntu.com/security/CVE-2025-37935", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM If the mtk_poll_rx() function detects the MTK_RESETTING flag, it will jump to release_desc and refill the high word of the SDP on the 4GB RFB. Subsequently, mtk_rx_clean will process an incorrect SDP, leading to a panic. Add patch from MediaTek's SDK to resolve this.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37891", "url": "https://ubuntu.com/security/CVE-2025-37891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion The conversion function from MIDI 1.0 to UMP packet contains an internal buffer to keep the incoming MIDI bytes, and its size is 4, as it was supposed to be the max size for a MIDI1 UMP packet data. However, the implementation overlooked that SysEx is handled in a different format, and it can be up to 6 bytes, as found in do_convert_to_ump(). It leads eventually to a buffer overflow, and may corrupt the memory when a longer SysEx message is received. The fix is simply to extend the buffer size to 6 to fit with the SysEx UMP message.", "cve_priority": "medium", "cve_public_date": "2025-05-19 08:15:00 UTC" }, { "cve": "CVE-2025-37912", "url": "https://ubuntu.com/security/CVE-2025-37912", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() As mentioned in the commit baeb705fd6a7 (\"ice: always check VF VSI pointer values\"), we need to perform a null pointer check on the return value of ice_get_vf_vsi() before using it.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37913", "url": "https://ubuntu.com/security/CVE-2025-37913", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37914", "url": "https://ubuntu.com/security/CVE-2025-37914", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of ets, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37915", "url": "https://ubuntu.com/security/CVE-2025-37915", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: drr: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of drr, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before adding to the list to cover for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37916", "url": "https://ubuntu.com/security/CVE-2025-37916", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pds_core: remove write-after-free of client_id A use-after-free error popped up in stress testing: [Mon Apr 21 21:21:33 2025] BUG: KFENCE: use-after-free write in pdsc_auxbus_dev_del+0xef/0x160 [pds_core] [Mon Apr 21 21:21:33 2025] Use-after-free write at 0x000000007013ecd1 (in kfence-#47): [Mon Apr 21 21:21:33 2025] pdsc_auxbus_dev_del+0xef/0x160 [pds_core] [Mon Apr 21 21:21:33 2025] pdsc_remove+0xc0/0x1b0 [pds_core] [Mon Apr 21 21:21:33 2025] pci_device_remove+0x24/0x70 [Mon Apr 21 21:21:33 2025] device_release_driver_internal+0x11f/0x180 [Mon Apr 21 21:21:33 2025] driver_detach+0x45/0x80 [Mon Apr 21 21:21:33 2025] bus_remove_driver+0x83/0xe0 [Mon Apr 21 21:21:33 2025] pci_unregister_driver+0x1a/0x80 The actual device uninit usually happens on a separate thread scheduled after this code runs, but there is no guarantee of order of thread execution, so this could be a problem. There's no actual need to clear the client_id at this point, so simply remove the offending code.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37917", "url": "https://ubuntu.com/security/CVE-2025-37917", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Use spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock and spin_unlock in mtk_star_emac driver to avoid spinlock recursion occurrence that can happen when enabling the DMA interrupts again in rx/tx poll. ``` BUG: spinlock recursion on CPU#0, swapper/0/0 lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0, .owner_cpu: 0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT Hardware name: MediaTek MT8365 Open Platform EVK (DT) Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x60/0x80 dump_stack+0x18/0x24 spin_dump+0x78/0x88 do_raw_spin_lock+0x11c/0x120 _raw_spin_lock+0x20/0x2c mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac] __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x4c/0xb0 handle_fasteoi_irq+0xa0/0x1bc handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x120 do_interrupt_handler+0x50/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 regmap_mmio_read32le+0xc/0x20 (P) _regmap_bus_reg_read+0x6c/0xac _regmap_read+0x60/0xdc regmap_read+0x4c/0x80 mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac] __napi_poll+0x38/0x188 net_rx_action+0x164/0x2c0 handle_softirqs+0x100/0x244 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x20 call_on_irq_stack+0x24/0x64 do_softirq_own_stack+0x1c/0x40 __irq_exit_rcu+0xd4/0x10c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 cpuidle_enter_state+0xac/0x320 (P) cpuidle_enter+0x38/0x50 do_idle+0x1e4/0x260 cpu_startup_entry+0x34/0x3c rest_init+0xdc/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ```", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37918", "url": "https://ubuntu.com/security/CVE-2025-37918", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() A NULL pointer dereference can occur in skb_dequeue() when processing a QCA firmware crash dump on WCN7851 (0489:e0f3). [ 93.672166] Bluetooth: hci0: ACL memdump size(589824) [ 93.672475] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 93.672517] Workqueue: hci0 hci_devcd_rx [bluetooth] [ 93.672598] RIP: 0010:skb_dequeue+0x50/0x80 The issue stems from handle_dump_pkt_qca() returning 0 even when a dump packet is successfully processed. This is because it incorrectly forwards the return value of hci_devcd_init() (which returns 0 on success). As a result, the caller (btusb_recv_acl_qca() or btusb_recv_evt_qca()) assumes the packet was not handled and passes it to hci_recv_frame(), leading to premature kfree() of the skb. Later, hci_devcd_rx() attempts to dequeue the same skb from the dump queue, resulting in a NULL pointer dereference. Fix this by: 1. Making handle_dump_pkt_qca() return 0 on success and negative errno on failure, consistent with kernel conventions. 2. Splitting dump packet detection into separate functions for ACL and event packets for better structure and readability. This ensures dump packets are properly identified and consumed, avoiding double handling and preventing NULL pointer access.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37919", "url": "https://ubuntu.com/security/CVE-2025-37919", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Update chip data using dev_get_drvdata(dev->parent) to fix NULL pointer deref in acp_i2s_set_tdm_slot.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37896", "url": "https://ubuntu.com/security/CVE-2025-37896", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: spi-mem: Add fix to avoid divide error For some SPI flash memory operations, dummy bytes are not mandatory. For example, in Winbond SPINAND flash memory devices, the `write_cache` and `update_cache` operation variants have zero dummy bytes. Calculating the duration for SPI memory operations with zero dummy bytes causes a divide error when `ncycles` is calculated in the spi_mem_calc_op_duration(). Add changes to skip the 'ncylcles' calculation for zero dummy bytes. Following divide error is fixed by this change: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI ... ? do_trap+0xdb/0x100 ? do_error_trap+0x75/0xb0 ? spi_mem_calc_op_duration+0x56/0xb0 ? exc_divide_error+0x3b/0x70 ? spi_mem_calc_op_duration+0x56/0xb0 ? asm_exc_divide_error+0x1b/0x20 ? spi_mem_calc_op_duration+0x56/0xb0 ? spinand_select_op_variant+0xee/0x190 [spinand] spinand_match_and_init+0x13e/0x1a0 [spinand] spinand_manufacturer_match+0x6e/0xa0 [spinand] spinand_probe+0x357/0x7f0 [spinand] ? kernfs_activate+0x87/0xd0 spi_mem_probe+0x7a/0xb0 spi_probe+0x7d/0x130", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37920", "url": "https://ubuntu.com/security/CVE-2025-37920", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xsk: Fix race condition in AF_XDP generic RX path Move rx_lock from xsk_socket to xsk_buff_pool. Fix synchronization for shared umem mode in generic RX path where multiple sockets share single xsk_buff_pool. RX queue is exclusive to xsk_socket, while FILL queue can be shared between multiple sockets. This could result in race condition where two CPU cores access RX path of two different sockets sharing the same umem. Protect both queues by acquiring spinlock in shared xsk_buff_pool. Lock contention may be minimized in the future by some per-thread FQ buffering. It's safe and necessary to move spin_lock_bh(rx_lock) after xsk_rcv_check(): * xs->pool and spinlock_init is synchronized by xsk_bind() -> xsk_is_bound() memory barriers. * xsk_rcv_check() may return true at the moment of xsk_release() or xsk_unbind_dev(), however this will not cause any data races or race conditions. xsk_unbind_dev() removes xdp socket from all maps and waits for completion of all outstanding rx operations. Packets in RX path will either complete safely or drop.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37921", "url": "https://ubuntu.com/security/CVE-2025-37921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1] being generated by the lockdep annotation that was added by commit ebe642067455 (\"vxlan: Create wrappers for FDB lookup\"). Reproducer: # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1 # bridge vni add vni 10010 remote 198.51.100.1 dev vx0 # bridge vni del vni 10010 dev vx0 Fix by acquiring the hash lock before the deletion and releasing it afterwards. Blame the original commit that introduced the issue rather than the one that exposed it. [1] WARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0 [...] RIP: 0010:vxlan_find_mac+0x17f/0x1a0 [...] Call Trace: __vxlan_fdb_delete+0xbe/0x560 vxlan_vni_delete_group+0x2ba/0x940 vxlan_vni_del.isra.0+0x15f/0x580 vxlan_process_vni_filter+0x38b/0x7b0 vxlan_vnifilter_process+0x3bb/0x510 rtnetlink_rcv_msg+0x2f7/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37897", "url": "https://ubuntu.com/security/CVE-2025-37897", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release plfxlc_mac_release() asserts that mac->lock is held. This assertion is incorrect, because even if it was possible, it would not be the valid behaviour. The function is used when probe fails or after the device is disconnected. In both cases mac->lock can not be held as the driver is not working with the device at the moment. All functions that use mac->lock unlock it just after it was held. There is also no need to hold mac->lock for plfxlc_mac_release() itself, as mac data is not affected, except for mac->flags, which is modified atomically. This bug leads to the following warning: ================================================================ WARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0 Modules linked in: CPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: usb_hub_wq hub_event RIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106 Call Trace: probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694 usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785 driver_probe_device+0x50/0x420 drivers/base/dd.c:815 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429 __device_attach+0x359/0x570 drivers/base/dd.c:1015 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489 device_add+0xb48/0xfd0 drivers/base/core.c:3696 usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165 usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238 usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785 driver_probe_device+0x50/0x420 drivers/base/dd.c:815 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429 __device_attach+0x359/0x570 drivers/base/dd.c:1015 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489 device_add+0xb48/0xfd0 drivers/base/core.c:3696 usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620 hub_port_connect drivers/usb/core/hub.c:5477 [inline] hub_port_connect_change drivers/usb/core/hub.c:5617 [inline] port_event drivers/usb/core/hub.c:5773 [inline] hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ================================================================ Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37898", "url": "https://ubuntu.com/security/CVE-2025-37898", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc64/ftrace: fix module loading without patchable function entries get_stubs_size assumes that there must always be at least one patchable function entry, which is not always the case (modules that export data but no code), otherwise it returns -ENOEXEC and thus the section header sh_size is set to that value. During module_memory_alloc() the size is passed to execmem_alloc() after being page-aligned and thus set to zero which will cause it to fail the allocation (and thus module loading) as __vmalloc_node_range() checks for zero-sized allocs and returns null: [ 115.466896] module_64: cast_common: doesn't contain __patchable_function_entries. [ 115.469189] ------------[ cut here ]------------ [ 115.469496] WARNING: CPU: 0 PID: 274 at mm/vmalloc.c:3778 __vmalloc_node_range_noprof+0x8b4/0x8f0 ... [ 115.478574] ---[ end trace 0000000000000000 ]--- [ 115.479545] execmem: unable to allocate memory Fix this by removing the check completely, since it is anyway not helpful to propagate this as an error upwards.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37922", "url": "https://ubuntu.com/security/CVE-2025-37922", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: book3s64/radix : Align section vmemmap start address to PAGE_SIZE A vmemmap altmap is a device-provided region used to provide backing storage for struct pages. For each namespace, the altmap should belong to that same namespace. If the namespaces are created unaligned, there is a chance that the section vmemmap start address could also be unaligned. If the section vmemmap start address is unaligned, the altmap page allocated from the current namespace might be used by the previous namespace also. During the free operation, since the altmap is shared between two namespaces, the previous namespace may detect that the page does not belong to its altmap and incorrectly assume that the page is a normal page. It then attempts to free the normal page, which leads to a kernel crash. Kernel attempted to read user page (18) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000018 Faulting instruction address: 0xc000000000530c7c Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries CPU: 32 PID: 2104 Comm: ndctl Kdump: loaded Tainted: G W NIP: c000000000530c7c LR: c000000000530e00 CTR: 0000000000007ffe REGS: c000000015e57040 TRAP: 0300 Tainted: G W MSR: 800000000280b033 CR: 84482404 CFAR: c000000000530dfc DAR: 0000000000000018 DSISR: 40000000 IRQMASK: 0 GPR00: c000000000530e00 c000000015e572e0 c000000002c5cb00 c00c000101008040 GPR04: 0000000000000000 0000000000000007 0000000000000001 000000000000001f GPR08: 0000000000000005 0000000000000000 0000000000000018 0000000000002000 GPR12: c0000000001d2fb0 c0000060de6b0080 0000000000000000 c0000060dbf90020 GPR16: c00c000101008000 0000000000000001 0000000000000000 c000000125b20f00 GPR20: 0000000000000001 0000000000000000 ffffffffffffffff c00c000101007fff GPR24: 0000000000000001 0000000000000000 0000000000000000 0000000000000000 GPR28: 0000000004040201 0000000000000001 0000000000000000 c00c000101008040 NIP [c000000000530c7c] get_pfnblock_flags_mask+0x7c/0xd0 LR [c000000000530e00] free_unref_page_prepare+0x130/0x4f0 Call Trace: free_unref_page+0x50/0x1e0 free_reserved_page+0x40/0x68 free_vmemmap_pages+0x98/0xe0 remove_pte_table+0x164/0x1e8 remove_pmd_table+0x204/0x2c8 remove_pud_table+0x1c4/0x288 remove_pagetable+0x1c8/0x310 vmemmap_free+0x24/0x50 section_deactivate+0x28c/0x2a0 __remove_pages+0x84/0x110 arch_remove_memory+0x38/0x60 memunmap_pages+0x18c/0x3d0 devm_action_release+0x30/0x50 release_nodes+0x68/0x140 devres_release_group+0x100/0x190 dax_pmem_compat_release+0x44/0x80 [dax_pmem_compat] device_for_each_child+0x8c/0x100 [dax_pmem_compat_remove+0x2c/0x50 [dax_pmem_compat] nvdimm_bus_remove+0x78/0x140 [libnvdimm] device_remove+0x70/0xd0 Another issue is that if there is no altmap, a PMD-sized vmemmap page will be allocated from RAM, regardless of the alignment of the section start address. If the section start address is not aligned to the PMD size, a VM_BUG_ON will be triggered when setting the PMD-sized page to page table. In this patch, we are aligning the section vmemmap start address to PAGE_SIZE. After alignment, the start address will not be part of the current namespace, and a normal page will be allocated for the vmemmap mapping of the current section. For the remaining sections, altmaps will be allocated. During the free operation, the normal page will be correctly freed. In the same way, a PMD_SIZE vmemmap page will be allocated only if the section start address is PMD_SIZE-aligned; otherwise, it will fall back to a PAGE-sized vmemmap allocation. Without this patch ================== NS1 start NS2 start _________________________________________________________ | NS1 | NS2 | --------------------------------------------------------- | Altmap| Altmap | .....|Altmap| Altmap | ........... | NS1 | NS1 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37923", "url": "https://ubuntu.com/security/CVE-2025-37923", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106 trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 .... ================================================================== It has been reported that trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Therefore, to prevent this, we should use the smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37899", "url": "https://ubuntu.com/security/CVE-2025-37899", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37924", "url": "https://ubuntu.com/security/CVE-2025-37924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authentication Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37926", "url": "https://ubuntu.com/security/CVE-2025-37926", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_session_rpc_open A UAF issue can occur due to a race condition between ksmbd_session_rpc_open() and __session_rpc_close(). Add rpc_lock to the session to protect it.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37900", "url": "https://ubuntu.com/security/CVE-2025-37900", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu: Fix two issues in iommu_copy_struct_from_user() In the review for iommu_copy_struct_to_user() helper, Matt pointed out that a NULL pointer should be rejected prior to dereferencing it: https://lore.kernel.org/all/86881827-8E2D-461C-BDA3-FA8FD14C343C@nvidia.com And Alok pointed out a typo at the same time: https://lore.kernel.org/all/480536af-6830-43ce-a327-adbd13dc3f1d@oracle.com Since both issues were copied from iommu_copy_struct_from_user(), fix them first in the current header.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37927", "url": "https://ubuntu.com/security/CVE-2025-37927", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the check is insufficient in some cases. For example if the length of hid string is 4 and the length of the uid string is 260, the length of str will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer which size is 256. The same applies to the hid string with length 13 and uid string with length 250. Check the length of hid and uid strings separately to prevent buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37928", "url": "https://ubuntu.com/security/CVE-2025-37928", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm-bufio: don't schedule in atomic context A BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet are enabled. [ 129.444685][ T934] BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2421 [ 129.444723][ T934] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 934, name: kworker/1:4 [ 129.444740][ T934] preempt_count: 201, expected: 0 [ 129.444756][ T934] RCU nest depth: 0, expected: 0 [ 129.444781][ T934] Preemption disabled at: [ 129.444789][ T934] [] shrink_work+0x21c/0x248 [ 129.445167][ T934] kernel BUG at kernel/sched/walt/walt_debug.c:16! [ 129.445183][ T934] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 129.445204][ T934] Skip md ftrace buffer dump for: 0x1609e0 [ 129.447348][ T934] CPU: 1 PID: 934 Comm: kworker/1:4 Tainted: G W OE 6.6.56-android15-8-o-g6f82312b30b9-debug #1 1400000003000000474e5500b3187743670464e8 [ 129.447362][ T934] Hardware name: Qualcomm Technologies, Inc. Parrot QRD, Alpha-M (DT) [ 129.447373][ T934] Workqueue: dm_bufio_cache shrink_work [ 129.447394][ T934] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 129.447406][ T934] pc : android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug] [ 129.447435][ T934] lr : __traceiter_android_rvh_schedule_bug+0x44/0x6c [ 129.447451][ T934] sp : ffffffc0843dbc90 [ 129.447459][ T934] x29: ffffffc0843dbc90 x28: ffffffffffffffff x27: 0000000000000c8b [ 129.447479][ T934] x26: 0000000000000040 x25: ffffff804b3d6260 x24: ffffffd816232b68 [ 129.447497][ T934] x23: ffffff805171c5b4 x22: 0000000000000000 x21: ffffffd816231900 [ 129.447517][ T934] x20: ffffff80306ba898 x19: 0000000000000000 x18: ffffffc084159030 [ 129.447535][ T934] x17: 00000000d2b5dd1f x16: 00000000d2b5dd1f x15: ffffffd816720358 [ 129.447554][ T934] x14: 0000000000000004 x13: ffffff89ef978000 x12: 0000000000000003 [ 129.447572][ T934] x11: ffffffd817a823c4 x10: 0000000000000202 x9 : 7e779c5735de9400 [ 129.447591][ T934] x8 : ffffffd81560d004 x7 : 205b5d3938373434 x6 : ffffffd8167397c8 [ 129.447610][ T934] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffffffc0843db9e0 [ 129.447629][ T934] x2 : 0000000000002f15 x1 : 0000000000000000 x0 : 0000000000000000 [ 129.447647][ T934] Call trace: [ 129.447655][ T934] android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug 1400000003000000474e550080cce8a8a78606b6] [ 129.447681][ T934] __might_resched+0x190/0x1a8 [ 129.447694][ T934] shrink_work+0x180/0x248 [ 129.447706][ T934] process_one_work+0x260/0x624 [ 129.447718][ T934] worker_thread+0x28c/0x454 [ 129.447729][ T934] kthread+0x118/0x158 [ 129.447742][ T934] ret_from_fork+0x10/0x20 [ 129.447761][ T934] Code: ???????? ???????? ???????? d2b5dd1f (d4210000) [ 129.447772][ T934] ---[ end trace 0000000000000000 ]--- dm_bufio_lock will call spin_lock_bh when try_verify_in_tasklet is enabled, and __scan will be called in atomic context.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37990", "url": "https://ubuntu.com/security/CVE-2025-37990", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() The function brcmf_usb_dl_writeimage() calls the function brcmf_usb_dl_cmd() but dose not check its return value. The 'state.state' and the 'state.bytes' are uninitialized if the function brcmf_usb_dl_cmd() fails. It is dangerous to use uninitialized variables in the conditions. Add error handling for brcmf_usb_dl_cmd() to jump to error handling path if the brcmf_usb_dl_cmd() fails and the 'state.state' and the 'state.bytes' are uninitialized. Improve the error message to report more detailed error information.", "cve_priority": "medium", "cve_public_date": "2025-05-20 18:15:00 UTC" }, { "cve": "CVE-2025-37901", "url": "https://ubuntu.com/security/CVE-2025-37901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs On Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not have a corresponding MPM pin and should not be handled inside the MPM driver. The IRQ domain hierarchy is always applied, so it's required to explicitly disconnect the hierarchy for those. The pinctrl-msm driver marks these with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but irq-qcom-mpm is currently missing the check. This is causing crashes when setting up interrupts for non-wake GPIOs: root@rb1:~# gpiomon -c gpiochip1 10 irq: IRQ159: trimming hierarchy from :soc@0:interrupt-controller@f200000-1 Unable to handle kernel paging request at virtual address ffff8000a1dc3820 Hardware name: Qualcomm Technologies, Inc. Robotics RB1 (DT) pc : mpm_set_type+0x80/0xcc lr : mpm_set_type+0x5c/0xcc Call trace: mpm_set_type+0x80/0xcc (P) qcom_mpm_set_type+0x64/0x158 irq_chip_set_type_parent+0x20/0x38 msm_gpio_irq_set_type+0x50/0x530 __irq_set_trigger+0x60/0x184 __setup_irq+0x304/0x6bc request_threaded_irq+0xc8/0x19c edge_detector_setup+0x260/0x364 linereq_create+0x420/0x5a8 gpio_ioctl+0x2d4/0x6c0 Fix this by copying the check for GPIO_NO_WAKE_IRQ from qcom-pdc.c, so that MPM is removed entirely from the hierarchy for non-wake GPIOs.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37936", "url": "https://ubuntu.com/security/CVE-2025-37936", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. When generating the MSR_IA32_PEBS_ENABLE value that will be loaded on VM-Entry to a KVM guest, mask the value with the vCPU's desired PEBS_ENABLE value. Consulting only the host kernel's host vs. guest masks results in running the guest with PEBS enabled even when the guest doesn't want to use PEBS. Because KVM uses perf events to proxy the guest virtual PMU, simply looking at exclude_host can't differentiate between events created by host userspace, and events created by KVM on behalf of the guest. Running the guest with PEBS unexpectedly enabled typically manifests as crashes due to a near-infinite stream of #PFs. E.g. if the guest hasn't written MSR_IA32_DS_AREA, the CPU will hit page faults on address '0' when trying to record PEBS events. The issue is most easily reproduced by running `perf kvm top` from before commit 7b100989b4f6 (\"perf evlist: Remove __evlist__add_default\") (after which, `perf kvm top` effectively stopped using PEBS).\tThe userspace side of perf creates a guest-only PEBS event, which intel_guest_get_msrs() misconstrues a guest-*owned* PEBS event. Arguably, this is a userspace bug, as enabling PEBS on guest-only events simply cannot work, and userspace can kill VMs in many other ways (there is no danger to the host). However, even if this is considered to be bad userspace behavior, there's zero downside to perf/KVM restricting PEBS to guest-owned events. Note, commit 854250329c02 (\"KVM: x86/pmu: Disable guest PEBS temporarily in two rare situations\") fixed the case where host userspace is profiling KVM *and* userspace, but missed the case where userspace is profiling only KVM.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37991", "url": "https://ubuntu.com/security/CVE-2025-37991", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately. When the T bit is set, an assist exception trap occurs when when the co-processor encounters *any* floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let's fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace. The issue can be reproduced with this test program: root@parisc:~# cat fpe.c static void fpe_func(int sig, siginfo_t *i, void *v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf(\"GOT signal %d with si_code %ld\\n\", sig, i->si_code); } int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf(\"%lf\\n\",1.7976931348623158E308*1.7976931348623158E308); } root@parisc:~# gcc fpe.c -lm root@parisc:~# ./a.out Floating point exception root@parisc:~# strace -f ./a.out execve(\"./a.out\", [\"./a.out\"], 0xf9ac7034 /* 20 vars */) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 ... rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- +++ killed by SIGFPE +++ Floating point exception", "cve_priority": "medium", "cve_public_date": "2025-05-20 18:15:00 UTC" }, { "cve": "CVE-2025-37929", "url": "https://ubuntu.com/security/CVE-2025-37929", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Commit a5951389e58d (\"arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists\") added some additional CPUs to the Spectre-BHB workaround, including some new arrays for designs that require new 'k' values for the workaround to be effective. Unfortunately, the new arrays omitted the sentinel entry and so is_midr_in_range_list() will walk off the end when it doesn't find a match. With UBSAN enabled, this leads to a crash during boot when is_midr_in_range_list() is inlined (which was more common prior to c8c2647e69be (\"arm64: Make  _midr_in_range_list() an exported function\")): | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : spectre_bhb_loop_affected+0x28/0x30 | lr : is_spectre_bhb_affected+0x170/0x190 | [...] | Call trace: | spectre_bhb_loop_affected+0x28/0x30 | update_cpu_capabilities+0xc0/0x184 | init_cpu_features+0x188/0x1a4 | cpuinfo_store_boot_cpu+0x4c/0x60 | smp_prepare_boot_cpu+0x38/0x54 | start_kernel+0x8c/0x478 | __primary_switched+0xc8/0xd4 | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020) | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: aarch64 BRK: Fatal exception Add the missing sentinel entries.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37930", "url": "https://ubuntu.com/security/CVE-2025-37930", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Nouveau is mostly designed in a way that it's expected that fences only ever get signaled through nouveau_fence_signal(). However, in at least one other place, nouveau_fence_done(), can signal fences, too. If that happens (race) a signaled fence remains in the pending list for a while, until it gets removed by nouveau_fence_update(). Should nouveau_fence_context_kill() run in the meantime, this would be a bug because the function would attempt to set an error code on an already signaled fence. Have nouveau_fence_context_kill() check for a fence being signaled.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37931", "url": "https://ubuntu.com/security/CVE-2025-37931", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do \tbit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation \tstart = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as \t0 + 1 * fs_info->sectorsize = 4096 \t4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37798", "url": "https://ubuntu.com/security/CVE-2025-37798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue().", "cve_priority": "medium", "cve_public_date": "2025-05-02 15:15:00 UTC" }, { "cve": "CVE-2025-37997", "url": "https://ubuntu.com/security/CVE-2025-37997", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37890", "url": "https://ubuntu.com/security/CVE-2025-37890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-16 13:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-24.24 -proposed tracker (LP: #2114501)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] update annotations scripts", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.06.16)", "", " * Apple spi keyboard/trackpad not working 25.04 (LP: #2107976)", " - iommu/vt-d: Restore context entry setup order for aliased devices", "", " * Unexpected system reboot at loading GUI session on some AMD platforms", " (LP: #2112462)", " - drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush", " - drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush", " - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush", " - drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush", " - drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush", "", " * Fix ARL-U/H suspend issues (LP: #2112469)", " - platform/x86/intel/pmc: Remove duplicate enum", " - platform/x86:intel/pmc: Make tgl_core_generic_init() static", " - platform/x86:intel/pmc: Create generic_core_init() for all platforms", " - platform/x86/intel/pmc: Remove simple init functions", " - platform/x86/intel/pmc: Add Arrow Lake U/H support to intel_pmc_core", " driver", " - platform/x86/intel/pmc: Fix Arrow Lake U/H NPU PCI ID", "", " * [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove", " (LP: #2114174)", " - s390/pci: Remove redundant bus removal and disable from", " zpci_release_device()", " - s390/pci: Prevent self deletion in disable_slot()", " - s390/pci: Allow re-add of a reserved but not yet removed device", " - s390/pci: Serialize device addition and removal", "", " * [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove", " (LP: #2114174) // CVE-2025-37946", " - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has", " child VFs", "", " * [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove", " (LP: #2114174) // CVE-2025-37974", " - s390/pci: Fix missing check for zpci_create_device() error return", "", " * HW accelerated video playback causes VCN timeout on VCN 4.0.5 (AMD Strix)", " (LP: #2112582)", " - drm/amdgpu: read back register after written for VCN v4.0.5", "", " * kvmppc_set_passthru_irq_hv: Could not assign IRQ map traces are seen when", " pci device is attached to kvm guest when \"xive=off\" is set (LP: #2109951)", " - KVM: PPC: Book3S HV: Fix IRQ map warnings with XICS on pSeries KVM Guest", "", " * System will restart while resuming with SATA HDD or nvme installed with", " password set (LP: #2110090)", " - PCI: Explicitly put devices into D0 when initializing", "", " * VM boots slowly with large-BAR GPU Passthrough (Root Cause Fix SRU)", " (LP: #2111861)", " - mm: Provide address mask in struct follow_pfnmap_args", " - vfio/type1: Convert all vaddr_get_pfns() callers to use vfio_batch", " - vfio/type1: Catch zero from pin_user_pages_remote()", " - vfio/type1: Use vfio_batch for vaddr_get_pfns()", " - vfio/type1: Use consistent types for page counts", " - vfio/type1: Use mapping page mask for pfnmaps", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881)", " - Revert \"rndis_host: Flag RNDIS modems as WWAN devices\"", " - ALSA: hda/realtek - Add more HP laptops which need mute led fixup", " - ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()", " - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset", " - ASoC: renesas: rz-ssi: Use NOIRQ_SYSTEM_SLEEP_PM_OPS()", " - btrfs: fix COW handling in run_delalloc_nocow()", " - cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode", " - drm/fdinfo: Protect against driver unbind", " - EDAC/altera: Test the correct error reg offset", " - EDAC/altera: Set DDR and SDMMC interrupt mask before registration", " - i2c: imx-lpi2c: Fix clock count when probe defers", " - pinctrl: airoha: fix wrong PHY LED mapping and PHY2 LED defines", " - perf/x86/intel: Only check the group flag for X86 leader", " - amd-xgbe: Fix to ensure dependent features are toggled with RX checksum", " offload", " - mm/memblock: pass size instead of end to memblock_set_node()", " - mm/memblock: repeat setting reserved region nid if array is doubled", " - mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe", " - spi: tegra114: Don't fail set_cs_timing when delays are zero", " - tracing: Do not take trace_event_sem in print_event_fields()", " - x86/boot/sev: Support memory acceptance in the EFI stub under SVSM", " - dm-integrity: fix a warning on invalid table line", " - dm: always update the array size in realloc_argv on success", " - drm/amdgpu: Fix offset for HDP remap in nbio v7.11", " - drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS", " - iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream", " ids", " - iommu/arm-smmu-v3: Fix pgsize_bit for sva domains", " - iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57)", " - platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep", " cycles", " - platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU", " hotplug", " - smb: client: fix zero length for mkdir POSIX create context", " - cpufreq: Avoid using inconsistent policy->min and policy->max", " - cpufreq: Fix setting policy limits when frequency tables are used", " - bcachefs: Remove incorrect __counted_by annotation", " - drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF", " - ASoC: soc-core: Stop using of_property_read_bool() for non-boolean", " properties", " - ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB", " - firmware: cs_dsp: tests: Depend on FW_CS_DSP rather then enabling it", " - ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence", " - Revert \"UBUNTU: SAUCE: powerpc64/ftrace: fix module loading without", " patchable function entries\"", " - pinctrl: imx: Return NULL if no group is matched and found", " - powerpc/boot: Check for ld-option support", " - ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init()", " - iommu/arm-smmu-v3: Add missing S2FWB feature detection", " - ALSA: hda/realtek - Enable speaker for HP platform", " - drm/i915/pxp: fix undefined reference to", " `intel_pxp_gsccs_is_ready_for_sessions'", " - wifi: iwlwifi: back off on continuous errors", " - wifi: iwlwifi: don't warn if the NIC is gone in resume", " - wifi: iwlwifi: fix the check for the SCRATCH register upon resume", " - powerpc/boot: Fix dash warning", " - xsk: Fix offset calculation in unaligned mode", " - net/mlx5e: Use custom tunnel header for vxlan gbp", " - net/mlx5: E-Switch, Initialize MAC Address for Default GID", " - net/mlx5e: TC, Continue the attr process even if encap entry is invalid", " - net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover", " - net/mlx5: E-switch, Fix error handling for enabling roce", " - accel/ivpu: Correct DCT interrupt handling", " - cpufreq: Introduce policy->boost_supported flag", " - cpufreq: acpi: Set policy->boost_supported", " - cpufreq: ACPI: Re-sync CPU boost state on system resume", " - Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver", " - Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync", " - Bluetooth: btintel_pcie: Avoid redundant buffer allocation", " - Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths", " - Bluetooth: L2CAP: copy RX timestamp to new fragments", " - net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID", " - octeon_ep_vf: Resolve netdevice usage count issue", " - bnxt_en: improve TX timestamping FIFO configuration", " - rtase: Modify the condition used to detect overflow in", " rtase_calc_time_mitigation", " - net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when", " advised", " - net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array", " - pds_core: make pdsc_auxbus_dev_del() void", " - pds_core: specify auxiliary_device to be created", " - ice: Don't check device type when checking GNSS presence", " - ice: Remove unnecessary ice_is_e8xx() functions", " - ice: fix Get Tx Topology AQ command error on E830", " - idpf: fix offloads support for encapsulated packets", " - scsi: ufs: core: Remove redundant query_complete trace", " - drm/xe/guc: Fix capture of steering registers", " - pinctrl: qcom: Fix PINGROUP definition for sm8750", " - nvme-pci: fix queue unquiesce check on slot_reset", " - drm/tests: shmem: Fix memleak", " - drm/mipi-dbi: Fix blanking for non-16 bit formats", " - net: dlink: Correct endianness handling of led_mode", " - net: mdio: mux-meson-gxl: set reversed bit when using internal phy", " - idpf: fix potential memory leak on kcalloc() failure", " - idpf: protect shutdown from reset", " - igc: fix lock order in igc_ptp_reset", " - net: dsa: felix: fix broken taprio gate states after clock jump", " - net: ipv6: fix UDPv6 GSO segmentation with NAT", " - ALSA: hda/realtek: Fix built-mic regression on other ASUS models", " - bnxt_en: Fix ethtool selftest output in one of the failure cases", " - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan()", " - bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings()", " - bnxt_en: Fix coredump logic to free allocated buffer", " - bnxt_en: Fix ethtool -d byte order for 32-bit values", " - nvme-tcp: fix premature queue removal and I/O failover", " - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS", " - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS", " - ASoC: stm32: sai: skip useless iterations on kernel rate loop", " - ASoC: stm32: sai: add a check on minimal kernel frequency", " - bnxt_en: fix module unload sequence", " - net: fec: ERR007885 Workaround for conventional TX", " - net: hns3: store rx VLAN tag offload state for VF", " - net: hns3: fix an interrupt residual problem", " - net: hns3: fixed debugfs tm_qset size", " - net: hns3: defer calling ptp_clock_register()", " - net: vertexcom: mse102x: Fix possible stuck of SPI interrupt", " - net: vertexcom: mse102x: Fix LEN_MASK", " - net: vertexcom: mse102x: Add range check for CMD_RTS", " - net: vertexcom: mse102x: Fix RX error handling", " - accel/ivpu: Abort all jobs after command queue unregister", " - accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW", " - drm/xe: Invalidate L3 read-only cachelines for geometry streams too", " - platform/x86: alienware-wmi-wmax: Add support for Alienware m15 R7", " - ublk: add helper of ublk_need_map_io()", " - ublk: properly serialize all FETCH_REQs", " - ublk: move device reset into ublk_ch_release()", " - ublk: improve detection and handling of ublk server exit", " - ublk: remove __ublk_quiesce_dev()", " - ublk: simplify aborting ublk request", " - firmware: arm_ffa: Skip Rx buffer ownership release if not acquired", " - arm64: dts: imx95: Correct the range of PCIe app-reg region", " - ARM: dts: opos6ul: add ksz8081 phy properties", " - arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs", " - arm64: dts: st: Use 128kB size for aliased GIC400 register access on", " stm32mp25 SoCs", " - block: introduce zone capacity helper", " - btrfs: zoned: skip reporting zone for new block group", " - kernel: param: rename locate_module_kobject", " - kernel: globalize lookup_or_create_module_kobject()", " - drivers: base: handle module_kobject creation", " - btrfs: expose per-inode stable writes flag", " - btrfs: pass struct btrfs_inode to btrfs_read_locked_inode()", " - btrfs: pass struct btrfs_inode to btrfs_iget_locked()", " - drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp", " - bcachefs: Change btree_insert_node() assertion to error", " - dm: fix copying after src array boundaries", " - Linux 6.14.6", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37903", " - drm/amd/display: Fix slab-use-after-free in hdcp", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37904", " - btrfs: fix the inode leak in btrfs_iget()", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37905", " - firmware: arm_scmi: Balance device refcount when destroying devices", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37906", " - ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37907", " - accel/ivpu: Fix locking order in ivpu_job_submit", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37908", " - mm, slab: clean up slab->obj_exts always", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37933", " - octeon_ep: Fix host hang issue during device reboot", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37909", " - net: lan743x: Fix memleak issue when GSO enabled", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37910", " - ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37894", " - net: use sock_gen_put() when sk_state is TCP_TIME_WAIT", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37934", " - ASoC: simple-card-utils: Fix pointer check in", " graph_util_parse_link_direction", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37911", " - bnxt_en: Fix out-of-bound memcpy() during ethtool -w", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37895", " - bnxt_en: Fix error handling path in bnxt_init_chip()", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37935", " - net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37891", " - ALSA: ump: Fix buffer overflow at UMP SysEx message conversion", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37912", " - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37913", " - net_sched: qfq: Fix double list add in class with netem as child qdisc", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37914", " - net_sched: ets: Fix double list add in class with netem as child qdisc", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37915", " - net_sched: drr: Fix double list add in class with netem as child qdisc", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37916", " - pds_core: remove write-after-free of client_id", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37917", " - net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx", " poll", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37918", " - Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37919", " - ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37896", " - spi: spi-mem: Add fix to avoid divide error", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37920", " - xsk: Fix race condition in AF_XDP generic RX path", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37921", " - vxlan: vnifilter: Fix unlocked deletion of default FDB entry", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37897", " - wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37898", " - powerpc64/ftrace: fix module loading without patchable function entries", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37922", " - book3s64/radix : Align section vmemmap start address to PAGE_SIZE", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37923", " - tracing: Fix oob write in trace_seq_to_buffer()", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37899", " - ksmbd: fix use-after-free in session logoff", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37924", " - ksmbd: fix use-after-free in kerberos authentication", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37926", " - ksmbd: fix use-after-free in ksmbd_session_rpc_open", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37900", " - iommu: Fix two issues in iommu_copy_struct_from_user()", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37927", " - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37928", " - dm-bufio: don't schedule in atomic context", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37990", " - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37901", " - irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37936", " - perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's", " value.", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37991", " - parisc: Fix double SIGFPE crash", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37929", " - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37930", " - drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()", "", " * Plucky update: v6.14.6 upstream stable release (LP: #2113881) //", " CVE-2025-37931", " - btrfs: adjust subpage bit start based on sectorsize", "", " * Support Sony IMX471 camera sensor for Intel IPU7 platforms (LP: #2107320)", " - SAUCE: media: ipu-bridge: Support imx471 sensor", "", " * deadlock on cpu_hotplug_lock in __accept_page() (LP: #2109543)", " - mm/page_alloc: fix deadlock on cpu_hotplug_lock in __accept_page()", "", " * Plucky fails to boot on (older) Macs (LP: #2105402)", " - SAUCE: hack: efi/libstub: enable t14s boot failure hack only on arm64", "", " * CVE-2025-37798", " - sch_htb: make htb_qlen_notify() idempotent", " - sch_htb: make htb_deactivate() idempotent", " - sch_drr: make drr_qlen_notify() idempotent", " - sch_hfsc: make hfsc_qlen_notify() idempotent", " - sch_qfq: make qfq_qlen_notify() idempotent", " - sch_ets: make est_qlen_notify() idempotent", " - selftests/tc-testing: Add a test case for FQ_CODEL with HTB parent", " - selftests/tc-testing: Add a test case for FQ_CODEL with QFQ parent", " - selftests/tc-testing: Add a test case for FQ_CODEL with HFSC parent", " - selftests/tc-testing: Add a test case for FQ_CODEL with DRR parent", " - selftests/tc-testing: Add a test case for FQ_CODEL with ETS parent", "", " * CVE-2025-37997", " - netfilter: ipset: fix region locking in hash types", "", " * CVE-2025-37890", " - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child", " qdisc", " - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()", " - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice", "" ], "package": "linux", "version": "6.14.0-24.24", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2114501, 1786013, 2107976, 2112462, 2112469, 2114174, 2114174, 2114174, 2112582, 2109951, 2110090, 2111861, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2113881, 2107320, 2109543, 2105402 ], "author": "Mehmet Basaran ", "date": "Sun, 15 Jun 2025 12:04:06 +0300" }, { "cves": [], "log": [ "", " * plucky/linux: 6.14.0-22.22 -proposed tracker (LP: #2111404)", "", " * snapd has high CPU usage for exactly 150 seconds every 5, 7.5 or 10 minutes", " (LP: #2110289)", " - fs/eventpoll: fix endless busy loop after timeout has expired", "" ], "package": "linux", "version": "6.14.0-22.22", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111404, 2110289 ], "author": "Stefan Bader ", "date": "Wed, 21 May 2025 11:38:35 +0200" }, { "cves": [ { "cve": "CVE-2025-37799", "url": "https://ubuntu.com/security/CVE-2025-37799", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for *some* of the packets (e.g. HTTP GET request) while others (e.g. the prior TCP 3WHS) looked completely fine on the wire. In fact, the pcap recording on the backend node actually revealed that the node with the XDP LB was leaking uninitialized kernel data onto the wire for the affected packets, for example, while the packets should have been 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes was padded with whatever other data was in that page at the time (e.g. we saw user/payload data from prior processed packets). We only noticed this through an MTU issue, e.g. when the XDP LB node and the backend node both had the same MTU (e.g. 1500) then the curl request got dropped on the backend node's NIC given the packet was too large even though the IPIP-encapped packet normally would never even come close to the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let the curl request succeed (which also indicates that the kernel ignored the padding, and thus the issue wasn't very user-visible). Commit e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") was too eager to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs to stick to rcd->len which is the actual packet length from the descriptor. The latter we also feed into vmxnet3_process_xdp_small(), by the way, and it indicates the correct length needed to initialize the xdp->{data,data_end} parts. For e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") the relevant part was adapting xdp_init_buff() to address the warning given the xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on the wire looks good again.", "cve_priority": "medium", "cve_public_date": "2025-05-03 12:15:00 UTC" }, { "cve": "CVE-2025-37800", "url": "https://ubuntu.com/security/CVE-2025-37800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads \"uevent\" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching the pointer, and take bus' drivers klist lock to make sure driver instance will not disappear while we access it. Use WRITE_ONCE() when setting the driver pointer to ensure there is no tearing.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37801", "url": "https://ubuntu.com/security/CVE-2025-37801", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: spi-imx: Add check for spi_imx_setupxfer() Add check for the return value of spi_imx_setupxfer(). spi_imx->rx and spi_imx->tx function pointer can be NULL when spi_imx_setupxfer() return error, and make NULL pointer dereference. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: 0x0 spi_imx_pio_transfer+0x50/0xd8 spi_imx_transfer_one+0x18c/0x858 spi_transfer_one_message+0x43c/0x790 __spi_pump_transfer_message+0x238/0x5d4 __spi_sync+0x2b0/0x454 spi_write_then_read+0x11c/0x200", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37802", "url": "https://ubuntu.com/security/CVE-2025-37802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix WARNING \"do not call blocking ops when !TASK_RUNNING\" wait_event_timeout() will set the state of the current task to TASK_UNINTERRUPTIBLE, before doing the condition check. This means that ksmbd_durable_scavenger_alive() will try to acquire the mutex while already in a sleeping state. The scheduler warns us by giving the following warning: do not call blocking ops when !TASK_RUNNING; state=2 set at [<0000000061515a6f>] prepare_to_wait_event+0x9f/0x6c0 WARNING: CPU: 2 PID: 4147 at kernel/sched/core.c:10099 __might_sleep+0x12f/0x160 mutex lock is not needed in ksmbd_durable_scavenger_alive().", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37876", "url": "https://ubuntu.com/security/CVE-2025-37876", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS When testing a special config: CONFIG_NETFS_SUPPORTS=y CONFIG_PROC_FS=n The system crashes with something like: [ 3.766197] ------------[ cut here ]------------ [ 3.766484] kernel BUG at mm/mempool.c:560! [ 3.766789] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 3.767123] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W [ 3.767777] Tainted: [W]=WARN [ 3.767968] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), [ 3.768523] RIP: 0010:mempool_alloc_slab.cold+0x17/0x19 [ 3.768847] Code: 50 fe ff 58 5b 5d 41 5c 41 5d 41 5e 41 5f e9 93 95 13 00 [ 3.769977] RSP: 0018:ffffc90000013998 EFLAGS: 00010286 [ 3.770315] RAX: 000000000000002f RBX: ffff888100ba8640 RCX: 0000000000000000 [ 3.770749] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 00000000ffffffff [ 3.771217] RBP: 0000000000092880 R08: 0000000000000000 R09: ffffc90000013828 [ 3.771664] R10: 0000000000000001 R11: 00000000ffffffea R12: 0000000000092cc0 [ 3.772117] R13: 0000000000000400 R14: ffff8881004b1620 R15: ffffea0004ef7e40 [ 3.772554] FS: 0000000000000000(0000) GS:ffff8881b5f3c000(0000) knlGS:0000000000000000 [ 3.773061] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.773443] CR2: ffffffff830901b4 CR3: 0000000004296001 CR4: 0000000000770ef0 [ 3.773884] PKRU: 55555554 [ 3.774058] Call Trace: [ 3.774232] [ 3.774371] mempool_alloc_noprof+0x6a/0x190 [ 3.774649] ? _printk+0x57/0x80 [ 3.774862] netfs_alloc_request+0x85/0x2ce [ 3.775147] netfs_readahead+0x28/0x170 [ 3.775395] read_pages+0x6c/0x350 [ 3.775623] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.775928] page_cache_ra_unbounded+0x1bd/0x2a0 [ 3.776247] filemap_get_pages+0x139/0x970 [ 3.776510] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.776820] filemap_read+0xf9/0x580 [ 3.777054] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.777368] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.777674] ? find_held_lock+0x32/0x90 [ 3.777929] ? netfs_start_io_read+0x19/0x70 [ 3.778221] ? netfs_start_io_read+0x19/0x70 [ 3.778489] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.778800] ? lock_acquired+0x1e6/0x450 [ 3.779054] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.779379] netfs_buffered_read_iter+0x57/0x80 [ 3.779670] __kernel_read+0x158/0x2c0 [ 3.779927] bprm_execve+0x300/0x7a0 [ 3.780185] kernel_execve+0x10c/0x140 [ 3.780423] ? __pfx_kernel_init+0x10/0x10 [ 3.780690] kernel_init+0xd5/0x150 [ 3.780910] ret_from_fork+0x2d/0x50 [ 3.781156] ? __pfx_kernel_init+0x10/0x10 [ 3.781414] ret_from_fork_asm+0x1a/0x30 [ 3.781677] [ 3.781823] Modules linked in: [ 3.782065] ---[ end trace 0000000000000000 ]--- This is caused by the following error path in netfs_init(): if (!proc_mkdir(\"fs/netfs\", NULL)) goto error_proc; Fix this by adding ifdef in netfs_main(), so that /proc/fs/netfs is only created with CONFIG_PROC_FS.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37877", "url": "https://ubuntu.com/security/CVE-2025-37877", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommu: Clear iommu-dma ops on cleanup If iommu_device_register() encounters an error, it can end up tearing down already-configured groups and default domains, however this currently still leaves devices hooked up to iommu-dma (and even historically the behaviour in this area was at best inconsistent across architectures/drivers...) Although in the case that an IOMMU is present whose driver has failed to probe, users cannot necessarily expect DMA to work anyway, it's still arguable that we should do our best to put things back as if the IOMMU driver was never there at all, and certainly the potential for crashing in iommu-dma itself is undesirable. Make sure we clean up the dev->dma_iommu flag along with everything else.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37878", "url": "https://ubuntu.com/security/CVE-2025-37878", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init Move the get_ctx(child_ctx) call and the child_event->ctx assignment to occur immediately after the child event is allocated. Ensure that child_event->ctx is non-NULL before any subsequent error path within inherit_event calls free_event(), satisfying the assumptions of the cleanup code. Details: There's no clear Fixes tag, because this bug is a side-effect of multiple interacting commits over time (up to 15 years old), not a single regression. The code initially incremented refcount then assigned context immediately after the child_event was created. Later, an early validity check for child_event was added before the refcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was added, assuming event->ctx is valid if the pmu_ctx is valid. The problem is that the WARN_ON_ONCE() could trigger after the initial check passed but before child_event->ctx was assigned, violating its precondition. The solution is to assign child_event->ctx right after its initial validation. This ensures the context exists for any subsequent checks or cleanup routines, resolving the WARN_ON_ONCE(). To resolve it, defer the refcount update and child_event->ctx assignment directly after child_event->pmu_ctx is set but before checking if the parent event is orphaned. The cleanup routine depends on event->pmu_ctx being non-NULL before it verifies event->ctx is non-NULL. This also maintains the author's original intent of passing in child_ctx to find_get_pmu_context before its refcount/assignment. [ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37803", "url": "https://ubuntu.com/security/CVE-2025-37803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udmabuf: fix a buf size overflow issue during udmabuf creation by casting size_limit_mb to u64 when calculate pglimit.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37804", "url": "https://ubuntu.com/security/CVE-2025-37804", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "negligible", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37879", "url": "https://ubuntu.com/security/CVE-2025-37879", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix improper handling of bogus negative read/write replies In p9_client_write() and p9_client_read_once(), if the server incorrectly replies with success but a negative write/read count then we would consider written (negative) <= rsize (positive) because both variables were signed. Make variables unsigned to avoid this problem. The reproducer linked below now fails with the following error instead of a null pointer deref: 9pnet: bogus RWRITE count (4294967295 > 3)", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37880", "url": "https://ubuntu.com/security/CVE-2025-37880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: work around sched_yield not yielding in time-travel mode sched_yield by a userspace may not actually cause scheduling in time-travel mode as no time has passed. In the case seen it appears to be a badly implemented userspace spinlock in ASAN. Unfortunately, with time-travel it causes an extreme slowdown or even deadlock depending on the kernel configuration (CONFIG_UML_MAX_USERSPACE_ITERATIONS). Work around it by accounting time to the process whenever it executes a sched_yield syscall.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37881", "url": "https://ubuntu.com/security/CVE-2025-37881", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() The variable d->name, returned by devm_kasprintf(), could be NULL. A pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 (\"ice: Fix some null pointer dereference issues in ice_ptp.c\"). This issue is found by our static analysis tool", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37882", "url": "https://ubuntu.com/security/CVE-2025-37882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix isochronous Ring Underrun/Overrun event handling The TRB pointer of these events points at enqueue at the time of error occurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we are handling the event, a new TD may be queued at this ring position. I can trigger this race by rising interrupt moderation to increase IRQ handling delay. Similar delay may occur naturally due to system load. If this ever happens after a Missed Service Error, missed TDs will be skipped and the new TD processed as if it matched the event. It could be given back prematurely, risking data loss or buffer UAF by the xHC. Don't complete TDs on xrun events and don't warn if queued TDs don't match the event's TRB pointer, which can be NULL or a link/no-op TRB. Don't warn if there are no queued TDs at all. Now that it's safe, also handle xrun events if the skip flag is clear. This ensures completion of any TD stuck in 'error mid TD' state right before the xrun event, which could happen if a driver submits a finite number of URBs to a buggy HC and then an error occurs on the last TD.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37805", "url": "https://ubuntu.com/security/CVE-2025-37805", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sound/virtio: Fix cancel_sync warnings on uninitialized work_structs Betty reported hitting the following warning: [ 8.709131][ T221] WARNING: CPU: 2 PID: 221 at kernel/workqueue.c:4182 ... [ 8.713282][ T221] Call trace: [ 8.713365][ T221] __flush_work+0x8d0/0x914 [ 8.713468][ T221] __cancel_work_sync+0xac/0xfc [ 8.713570][ T221] cancel_work_sync+0x24/0x34 [ 8.713667][ T221] virtsnd_remove+0xa8/0xf8 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] [ 8.713868][ T221] virtsnd_probe+0x48c/0x664 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] [ 8.714035][ T221] virtio_dev_probe+0x28c/0x390 [ 8.714139][ T221] really_probe+0x1bc/0x4c8 ... It seems we're hitting the error path in virtsnd_probe(), which triggers a virtsnd_remove() which iterates over the substreams calling cancel_work_sync() on the elapsed_period work_struct. Looking at the code, from earlier in: virtsnd_probe()->virtsnd_build_devs()->virtsnd_pcm_parse_cfg() We set snd->nsubstreams, allocate the snd->substreams, and if we then hit an error on the info allocation or something in virtsnd_ctl_query_info() fails, we will exit without having initialized the elapsed_period work_struct. When that error path unwinds we then call virtsnd_remove() which as long as the substreams array is allocated, will iterate through calling cancel_work_sync() on the uninitialized work struct hitting this warning. Takashi Iwai suggested this fix, which initializes the substreams structure right after allocation, so that if we hit the error paths we avoid trying to cleanup uninitialized data. Note: I have not yet managed to reproduce the issue myself, so this patch has had limited testing. Feedback or thoughts would be appreciated!", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37806", "url": "https://ubuntu.com/security/CVE-2025-37806", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Keep write operations atomic syzbot reported a NULL pointer dereference in __generic_file_write_iter. [1] Before the write operation is completed, the user executes ioctl[2] to clear the compress flag of the file, which causes the is_compressed() judgment to return 0, further causing the program to enter the wrong process and call the wrong ops ntfs_aops_cmpr, which triggers the null pointer dereference of write_begin. Use inode lock to synchronize ioctl and write to avoid this case. [1] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=000000011896d000 [0000000000000000] pgd=0800000118b44403, p4d=0800000118b44403, pud=0800000117517403, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 6427 Comm: syz-executor347 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : generic_perform_write+0x29c/0x868 mm/filemap.c:4055 sp : ffff80009d4978a0 x29: ffff80009d4979c0 x28: dfff800000000000 x27: ffff80009d497bc8 x26: 0000000000000000 x25: ffff80009d497960 x24: ffff80008ba71c68 x23: 0000000000000000 x22: ffff0000c655dac0 x21: 0000000000001000 x20: 000000000000000c x19: 1ffff00013a92f2c x18: ffff0000e183aa1c x17: 0004060000000014 x16: ffff800083275834 x15: 0000000000000001 x14: 0000000000000000 x13: 0000000000000001 x12: ffff0000c655dac0 x11: 0000000000ff0100 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff80009d497980 x4 : ffff80009d497960 x3 : 0000000000001000 x2 : 0000000000000000 x1 : ffff0000e183a928 x0 : ffff0000d60b0fc0 Call trace: 0x0 (P) __generic_file_write_iter+0xfc/0x204 mm/filemap.c:4156 ntfs_file_write_iter+0x54c/0x630 fs/ntfs3/file.c:1267 new_sync_write fs/read_write.c:586 [inline] vfs_write+0x920/0xcf4 fs/read_write.c:679 ksys_write+0x15c/0x26c fs/read_write.c:731 __do_sys_write fs/read_write.c:742 [inline] __se_sys_write fs/read_write.c:739 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 [2] ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f00000000c0)=0x20)", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37883", "url": "https://ubuntu.com/security/CVE-2025-37883", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Add check for get_zeroed_page() Add check for the return value of get_zeroed_page() in sclp_console_init() to prevent null pointer dereference. Furthermore, to solve the memory leak caused by the loop allocation, add a free helper to do the free job.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37884", "url": "https://ubuntu.com/security/CVE-2025-37884", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Fix the following deadlock: CPU A _free_event() perf_kprobe_destroy() mutex_lock(&event_mutex) perf_trace_event_unreg() synchronize_rcu_tasks_trace() There are several paths where _free_event() grabs event_mutex and calls sync_rcu_tasks_trace. Above is one such case. CPU B bpf_prog_test_run_syscall() rcu_read_lock_trace() bpf_prog_run_pin_on_cpu() bpf_prog_load() bpf_tracing_func_proto() trace_set_clr_event() mutex_lock(&event_mutex) Delegate trace_set_clr_event() to workqueue to avoid such lock dependency.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37807", "url": "https://ubuntu.com/security/CVE-2025-37807", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kmemleak warning for percpu hashmap Vlad Poenaru reported the following kmemleak issue: unreferenced object 0x606fd7c44ac8 (size 32): backtrace (crc 0): pcpu_alloc_noprof+0x730/0xeb0 bpf_map_alloc_percpu+0x69/0xc0 prealloc_init+0x9d/0x1b0 htab_map_alloc+0x363/0x510 map_create+0x215/0x3a0 __sys_bpf+0x16b/0x3e0 __x64_sys_bpf+0x18/0x20 do_syscall_64+0x7b/0x150 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Further investigation shows the reason is due to not 8-byte aligned store of percpu pointer in htab_elem_set_ptr(): *(void __percpu **)(l->key + key_size) = pptr; Note that the whole htab_elem alignment is 8 (for x86_64). If the key_size is 4, that means pptr is stored in a location which is 4 byte aligned but not 8 byte aligned. In mm/kmemleak.c, scan_block() scans the memory based on 8 byte stride, so it won't detect above pptr, hence reporting the memory leak. In htab_map_alloc(), we already have htab->elem_size = sizeof(struct htab_elem) + round_up(htab->map.key_size, 8); if (percpu) htab->elem_size += sizeof(void *); else htab->elem_size += round_up(htab->map.value_size, 8); So storing pptr with 8-byte alignment won't cause any problem and can fix kmemleak too. The issue can be reproduced with bpf selftest as well: 1. Enable CONFIG_DEBUG_KMEMLEAK config 2. Add a getchar() before skel destroy in test_hash_map() in prog_tests/for_each.c. The purpose is to keep map available so kmemleak can be detected. 3. run './test_progs -t for_each/hash_map &' and a kmemleak should be reported.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37808", "url": "https://ubuntu.com/security/CVE-2025-37808", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: null - Use spin lock instead of mutex As the null algorithm may be freed in softirq context through af_alg, use spin locks instead of mutexes to protect the default null algorithm.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37809", "url": "https://ubuntu.com/security/CVE-2025-37809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: class: Fix NULL pointer access Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer dereference. This patch adds a mutex to protect USB device pointers and prevent this issue. The same mutex protects both the device pointers and the partner device registration.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37810", "url": "https://ubuntu.com/security/CVE-2025-37810", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: check that event count does not exceed event buffer length The event count is read from register DWC3_GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : __memcpy+0x114/0x180 lr : dwc3_check_event_buf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Call trace: __memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37811", "url": "https://ubuntu.com/security/CVE-2025-37811", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: ci_hdrc_imx: fix usbmisc handling usbmisc is an optional device property so it is totally valid for the corresponding data->usbmisc_data to have a NULL value. Check that before dereferencing the pointer. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37812", "url": "https://ubuntu.com/security/CVE-2025-37812", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Fix deadlock when using NCM gadget The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit 58f2fcb3a845 (\"usb: cdnsp: Fix deadlock issue during using NCM gadget\"). Under PREEMPT_RT the deadlock can be readily triggered by heavy network traffic, for example using \"iperf --bidir\" over NCM ethernet link. The deadlock occurs because the threaded interrupt handler gets preempted by a softirq, but both are protected by the same spinlock. Prevent deadlock by disabling softirq during threaded irq handler.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37813", "url": "https://ubuntu.com/security/CVE-2025-37813", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so enqueue can already point at the final link TRB of a segment. And indeed it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right away or load some junk which may look like a link TRB and cause the real link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer and always gives correct result. Something has crashed my machine twice in recent days while playing with an Etron HC, and a control transfer stress test ran for confirmation has just crashed it again. The same test passes with this patch applied.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37814", "url": "https://ubuntu.com/security/CVE-2025-37814", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT This requirement was overeagerly loosened in commit 2f83e38a095f (\"tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN\"), but as it turns out, (1) the logic I implemented there was inconsistent (apologies!), (2) TIOCL_SELMOUSEREPORT might actually be a small security risk after all, and (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN already. In more detail: 1. The previous patch has inconsistent logic: In commit 2f83e38a095f (\"tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN\"), we checked for sel_mode == TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of this \"mode\" parameter were actually used as an additional way to pass an argument. So the patch did actually still require CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not require it if none of the mouse buttons bits are set. This logic is inconsistent and was not intentional. We should have the same policies for using TIOCL_SELMOUSEREPORT independent of the value of the \"hidden\" mouse button argument. I sent a separate documentation patch to the man page list with more details on TIOCL_SELMOUSEREPORT: https://lore.kernel.org/all/20250223091342.35523-2-gnoack3000@gmail.com/ 2. TIOCL_SELMOUSEREPORT is indeed a potential security risk which can let an attacker simulate \"keyboard\" input to command line applications on the same terminal, like TIOCSTI and some other TIOCLINUX \"selection mode\" IOCTLs. By enabling mouse reporting on a terminal and then injecting mouse reports through TIOCL_SELMOUSEREPORT, an attacker can simulate mouse movements on the same terminal, similar to the TIOCSTI keystroke injection attacks that were previously possible with TIOCSTI and other TIOCL_SETSEL selection modes. Many programs (including libreadline/bash) are then prone to misinterpret these mouse reports as normal keyboard input because they do not expect input in the X11 mouse protocol form. The attacker does not have complete control over the escape sequence, but they can at least control the values of two consecutive bytes in the binary mouse reporting escape sequence. I went into more detail on that in the discussion at https://lore.kernel.org/all/20250221.0a947528d8f3@gnoack.org/ It is not equally trivial to simulate arbitrary keystrokes as it was with TIOCSTI (commit 83efeeeb3d04 (\"tty: Allow TIOCSTI to be disabled\")), but the general mechanism is there, and together with the small number of existing legit use cases (see below), it would be better to revert back to requiring CAP_SYS_ADMIN for TIOCL_SELMOUSEREPORT, as it was already the case before commit 2f83e38a095f (\"tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN\"). 3. TIOCL_SELMOUSEREPORT is only used by the mouse daemons (GPM or Consolation), and they are the only legit use case: To quote console_codes(4): The mouse tracking facility is intended to return xterm(1)-compatible mouse status reports. Because the console driver has no way to know the device or type of the mouse, these reports are returned in the console input stream only when the virtual terminal driver receives a mouse update ioctl. These ioctls must be generated by a mouse-aware user-mode application such as the gpm(8) daemon. Jared Finder has also confirmed in https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/ that Emacs does not call TIOCL_SELMOUSEREPORT directly, and it would be difficult to find good reasons for doing that, given that it would interfere with the reports that GPM is sending. More information on the interaction between GPM, terminals and th ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37815", "url": "https://ubuntu.com/security/CVE-2025-37815", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Resolve kernel panic while accessing IRQ handler associated with the generated IRQ. This is done by acquiring the spinlock and storing the current interrupt state before handling the interrupt request using generic_handle_irq. A previous fix patch was submitted where 'generic_handle_irq' was replaced with 'handle_nested_irq'. However, this change also causes the kernel panic where after determining which GPIO triggered the interrupt and attempting to call handle_nested_irq with the mapped IRQ number, leads to a failure in locating the registered handler.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37885", "url": "https://ubuntu.com/security/CVE-2025-37885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reset IRTE to host control if *new* route isn't postable Restore an IRTE back to host control (remapped or posted MSI mode) if the *new* GSI route prevents posting the IRQ directly to a vCPU, regardless of the GSI routing type. Updating the IRTE if and only if the new GSI is an MSI results in KVM leaving an IRTE posting to a vCPU. The dangling IRTE can result in interrupts being incorrectly delivered to the guest, and in the worst case scenario can result in use-after-free, e.g. if the VM is torn down, but the underlying host IRQ isn't freed.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37816", "url": "https://ubuntu.com/security/CVE-2025-37816", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mei: vsc: Fix fortify-panic caused by invalid counted_by() use gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length *without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to buf[] the fortify-panic handler gets triggered: [ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50 ... [ 80.843175] __fortify_panic+0x9/0xb [ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw] [ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110 [ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc] [ 80.843270] mei_reset+0x11d/0x420 [mei] The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsc_tp_xfer_helper() which only contains enough room for the packet-header, all other uses of vsc_tp_packet always use a buffer of VSC_TP_MAX_XFER_SIZE bytes for the packet. Instead of just dropping the counted-by, split the vsc_tp_packet struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37817", "url": "https://ubuntu.com/security/CVE-2025-37817", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' would be released in mcb_device_register() via put_device(). Thus, goto 'err' label and free 'mdev' again causes a double free. Just return if mcb_device_register() fails.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37818", "url": "https://ubuntu.com/security/CVE-2025-37818", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: LoongArch: Return NULL from huge_pte_offset() for invalid PMD LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot even if the underlying entry points to invalid_pte_table (indicating no mapping). Callers like smaps_hugetlb_range() fetch this invalid entry value (the address of invalid_pte_table) via this pointer. The generic is_swap_pte() check then incorrectly identifies this address as a swap entry on LoongArch, because it satisfies the \"!pte_present() && !pte_none()\" conditions. This misinterpretation, combined with a coincidental match by is_migration_entry() on the address bits, leads to kernel crashes in pfn_swap_entry_to_page(). Fix this at the architecture level by modifying huge_pte_offset() to check the PMD entry's content using pmd_none() before returning. If the entry is invalid (i.e., it points to invalid_pte_table), return NULL instead of the pointer to the slot.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37819", "url": "https://ubuntu.com/security/CVE-2025-37819", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548 This is easily reproducible on a Juno board with ACPI boot. Retain the function for later use.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37820", "url": "https://ubuntu.com/security/CVE-2025-37820", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL pointer dereference if the result is used later in processing, potentially causing crashes, data corruption, or undefined behavior. On XDP redirect failure, the associated page must be released explicitly if it was previously retained via get_page(). Failing to do so may result in a memory leak, as the pages reference count is not decremented.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37821", "url": "https://ubuntu.com/security/CVE-2025-37821", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash There is a code path in dequeue_entities() that can set the slice of a sched_entity to U64_MAX, which sometimes results in a crash. The offending case is when dequeue_entities() is called to dequeue a delayed group entity, and then the entity's parent's dequeue is delayed. In that case: 1. In the if (entity_is_task(se)) else block at the beginning of dequeue_entities(), slice is set to cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX. 2. The first for_each_sched_entity() loop dequeues the entity. 3. If the entity was its parent's only child, then the next iteration tries to dequeue the parent. 4. If the parent's dequeue needs to be delayed, then it breaks from the first for_each_sched_entity() loop _without updating slice_. 5. The second for_each_sched_entity() loop sets the parent's ->slice to the saved slice, which is still U64_MAX. This throws off subsequent calculations with potentially catastrophic results. A manifestation we saw in production was: 6. In update_entity_lag(), se->slice is used to calculate limit, which ends up as a huge negative number. 7. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit is negative, vlag > limit, so se->vlag is set to the same huge negative number. 8. In place_entity(), se->vlag is scaled, which overflows and results in another huge (positive or negative) number. 9. The adjusted lag is subtracted from se->vruntime, which increases or decreases se->vruntime by a huge number. 10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which incorrectly returns false because the vruntime is so far from the other vruntimes on the queue, causing the (vruntime - cfs_rq->min_vruntime) * load calulation to overflow. 11. Nothing appears to be eligible, so pick_eevdf() returns NULL. 12. pick_next_entity() tries to dereference the return value of pick_eevdf() and crashes. Dumping the cfs_rq states from the core dumps with drgn showed tell-tale huge vruntime ranges and bogus vlag values, and I also traced se->slice being set to U64_MAX on live systems (which was usually \"benign\" since the rest of the runqueue needed to be in a particular state to crash). Fix it in dequeue_entities() by always setting slice from the first non-empty cfs_rq.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37822", "url": "https://ubuntu.com/security/CVE-2025-37822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: uprobes: Add missing fence.i after building the XOL buffer The XOL (execute out-of-line) buffer is used to single-step the replaced instruction(s) for uprobes. The RISC-V port was missing a proper fence.i (i$ flushing) after constructing the XOL buffer, which can result in incorrect execution of stale/broken instructions. This was found running the BPF selftests \"test_progs: uprobe_autoattach, attach_probe\" on the Spacemit K1/X60, where the uprobes tests randomly blew up.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37886", "url": "https://ubuntu.com/security/CVE-2025-37886", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pds_core: make wait_context part of q_info Make the wait_context a full part of the q_info struct rather than a stack variable that goes away after pdsc_adminq_post() is done so that the context is still available after the wait loop has given up. There was a case where a slow development firmware caused the adminq request to time out, but then later the FW finally finished the request and sent the interrupt. The handler tried to complete_all() the completion context that had been created on the stack in pdsc_adminq_post() but no longer existed. This caused bad pointer usage, kernel crashes, and much wailing and gnashing of teeth.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37887", "url": "https://ubuntu.com/security/CVE-2025-37887", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result If the FW doesn't support the PDS_CORE_CMD_FW_CONTROL command the driver might at the least print garbage and at the worst crash when the user runs the \"devlink dev info\" devlink command. This happens because the stack variable fw_list is not 0 initialized which results in fw_list.num_fw_slots being a garbage value from the stack. Then the driver tries to access fw_list.fw_names[i] with i >= ARRAY_SIZE and runs off the end of the array. Fix this by initializing the fw_list and by not failing completely if the devcmd fails because other useful information is printed via devlink dev info even if the devcmd fails.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37823", "url": "https://ubuntu.com/security/CVE-2025-37823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37797", "url": "https://ubuntu.com/security/CVE-2025-37797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.", "cve_priority": "medium", "cve_public_date": "2025-05-02 15:15:00 UTC" }, { "cve": "CVE-2025-37824", "url": "https://ubuntu.com/security/CVE-2025-37824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() syzbot reported: tipc: Node number set to 1055423674 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events tipc_net_finalize_work RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ... RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 There is a racing condition between workqueue created when enabling bearer and another thread created when disabling bearer right after that as follow: enabling_bearer | disabling_bearer --------------- | ---------------- tipc_disc_timeout() | { | bearer_disable() ... | { schedule_work(&tn->work); | tipc_mon_delete() ... | { } | ... | write_lock_bh(&mon->lock); | mon->self = NULL; | write_unlock_bh(&mon->lock); | ... | } tipc_net_finalize_work() | } { | ... | tipc_net_finalize() | { | ... | tipc_mon_reinit_self() | { | ... | write_lock_bh(&mon->lock); | mon->self->addr = tipc_own_addr(net); | write_unlock_bh(&mon->lock); | ... ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37825", "url": "https://ubuntu.com/security/CVE-2025-37825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet: fix out-of-bounds access in nvmet_enable_port When trying to enable a port that has no transport configured yet, nvmet_enable_port() uses NVMF_TRTYPE_MAX (255) to query the transports array, causing an out-of-bounds access: [ 106.058694] BUG: KASAN: global-out-of-bounds in nvmet_enable_port+0x42/0x1da [ 106.058719] Read of size 8 at addr ffffffff89dafa58 by task ln/632 [...] [ 106.076026] nvmet: transport type 255 not supported Since commit 200adac75888, NVMF_TRTYPE_MAX is the default state as configured by nvmet_ports_make(). Avoid this by checking for NVMF_TRTYPE_MAX before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37826", "url": "https://ubuntu.com/security/CVE-2025-37826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Add NULL check in ufshcd_mcq_compl_pending_transfer() Add a NULL check for the returned hwq pointer by ufshcd_mcq_req_to_hwq(). This is similar to the fix in commit 74736103fb41 (\"scsi: ufs: core: Fix ufshcd_abort_one racing issue\").", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37888", "url": "https://ubuntu.com/security/CVE-2025-37888", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Add NULL check for mlx5_get_flow_namespace() returns in mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-05-09 07:16:00 UTC" }, { "cve": "CVE-2025-37827", "url": "https://ubuntu.com/security/CVE-2025-37827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: return EIO on RAID1 block group write pointer mismatch There was a bug report about a NULL pointer dereference in __btrfs_add_free_space_zoned() that ultimately happens because a conversion from the default metadata profile DUP to a RAID1 profile on two disks. The stack trace has the following signature: BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001 RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410 RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000 R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000 FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0 Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15c/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 btrfs_add_free_space_async_trimmed+0x34/0x40 btrfs_add_new_free_space+0x107/0x120 btrfs_make_block_group+0x104/0x2b0 btrfs_create_chunk+0x977/0xf20 btrfs_chunk_alloc+0x174/0x510 ? srso_return_thunk+0x5/0x5f btrfs_inc_block_group_ro+0x1b1/0x230 btrfs_relocate_block_group+0x9e/0x410 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x8ac/0x12b0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? __kmalloc_cache_noprof+0x14c/0x3e0 btrfs_ioctl+0x2686/0x2a80 ? srso_return_thunk+0x5/0x5f ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x82/0x160 ? srso_return_thunk+0x5/0x5f ? __memcg_slab_free_hook+0x11a/0x170 ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x3f0/0x450 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? sysfs_emit+0xaf/0xc0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? seq_read_iter+0x207/0x460 ? srso_return_thunk+0x5/0x5f ? vfs_read+0x29c/0x370 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? srso_return_thunk+0x5/0x5f ? exc_page_fault+0x7e/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdab1e0ca6d RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001 CR2: 0000000000000058 ---[ end trace 0000000000000000 ]--- The 1st line is the most interesting here: BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile When a RAID1 block-group is created and a write pointer mismatch between the disks in the RAID set is detected, btrfs sets the alloc_offset to the length of the block group marking it as full. Afterwards the code expects that a balance operation will evacuate the data in this block-group and repair the problems. But before this is possible, the new space of this block-group will be accounted in the free space cache. But in __btrfs_ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37828", "url": "https://ubuntu.com/security/CVE-2025-37828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort() A race can occur between the MCQ completion path and the abort handler: once a request completes, __blk_mq_free_request() sets rq->mq_hctx to NULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in ufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is dereferenced, the kernel will crash. Add a NULL check for the returned hwq pointer. If hwq is NULL, log an error and return FAILED, preventing a potential NULL-pointer dereference. As suggested by Bart, the ufshcd_cmd_inflight() check is removed. This is similar to the fix in commit 74736103fb41 (\"scsi: ufs: core: Fix ufshcd_abort_one racing issue\"). This is found by our static analysis tool KNighter.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37829", "url": "https://ubuntu.com/security/CVE-2025-37829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. scpi_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37830", "url": "https://ubuntu.com/security/CVE-2025-37830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference. Add NULL check after cpufreq_cpu_get_raw() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37831", "url": "https://ubuntu.com/security/CVE-2025-37831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. apple_soc_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37832", "url": "https://ubuntu.com/security/CVE-2025-37832", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "negligible", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37833", "url": "https://ubuntu.com/security/CVE-2025-37833", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads Fix niu_try_msix() to not cause a fatal trap on sparc systems. Set PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST on the struct pci_dev to work around a bug in the hardware or firmware. For each vector entry in the msix table, niu chips will cause a fatal trap if any registers in that entry are read before that entries' ENTRY_DATA register is written to. Testing indicates writes to other registers are not sufficient to prevent the fatal trap, however the value does not appear to matter. This only needs to happen once after power up, so simply rebooting into a kernel lacking this fix will NOT cause the trap. NON-RESUMABLE ERROR: Reporting on cpu 64 NON-RESUMABLE ERROR: TPC [0x00000000005f6900] NON-RESUMABLE ERROR: RAW [4010000000000016:00000e37f93e32ff:0000000202000080:ffffffffffffffff NON-RESUMABLE ERROR: 0000000800000000:0000000000000000:0000000000000000:0000000000000000] NON-RESUMABLE ERROR: handle [0x4010000000000016] stick [0x00000e37f93e32ff] NON-RESUMABLE ERROR: type [precise nonresumable] NON-RESUMABLE ERROR: attrs [0x02000080] < ASI sp-faulted priv > NON-RESUMABLE ERROR: raddr [0xffffffffffffffff] NON-RESUMABLE ERROR: insn effective address [0x000000c50020000c] NON-RESUMABLE ERROR: size [0x8] NON-RESUMABLE ERROR: asi [0x00] CPU: 64 UID: 0 PID: 745 Comm: kworker/64:1 Not tainted 6.11.5 #63 Workqueue: events work_for_cpu_fn TSTATE: 0000000011001602 TPC: 00000000005f6900 TNPC: 00000000005f6904 Y: 00000000 Not tainted TPC: g0: 00000000000002e9 g1: 000000000000000c g2: 000000c50020000c g3: 0000000000000100 g4: ffff8000470307c0 g5: ffff800fec5be000 g6: ffff800047a08000 g7: 0000000000000000 o0: ffff800014feb000 o1: ffff800047a0b620 o2: 0000000000000011 o3: ffff800047a0b620 o4: 0000000000000080 o5: 0000000000000011 sp: ffff800047a0ad51 ret_pc: 00000000005f7128 RPC: <__pci_enable_msix_range+0x3cc/0x460> l0: 000000000000000d l1: 000000000000c01f l2: ffff800014feb0a8 l3: 0000000000000020 l4: 000000000000c000 l5: 0000000000000001 l6: 0000000020000000 l7: ffff800047a0b734 i0: ffff800014feb000 i1: ffff800047a0b730 i2: 0000000000000001 i3: 000000000000000d i4: 0000000000000000 i5: 0000000000000000 i6: ffff800047a0ae81 i7: 00000000101888b0 I7: Call Trace: [<00000000101888b0>] niu_try_msix.constprop.0+0xc0/0x130 [niu] [<000000001018f840>] niu_get_invariants+0x183c/0x207c [niu] [<00000000101902fc>] niu_pci_init_one+0x27c/0x2fc [niu] [<00000000005ef3e4>] local_pci_probe+0x28/0x74 [<0000000000469240>] work_for_cpu_fn+0x8/0x1c [<000000000046b008>] process_scheduled_works+0x144/0x210 [<000000000046b518>] worker_thread+0x13c/0x1c0 [<00000000004710e0>] kthread+0xb8/0xc8 [<00000000004060c8>] ret_from_fork+0x1c/0x2c [<0000000000000000>] 0x0 Kernel panic - not syncing: Non-resumable error.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" }, { "cve": "CVE-2025-37834", "url": "https://ubuntu.com/security/CVE-2025-37834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: don't try to reclaim hwpoison folio Syzkaller reports a bug as follows: Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e memcg:ffff0000dd6d9000 anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) ------------[ cut here ]------------ kernel BUG at mm/swap_state.c:184! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 Hardware name: linux,dummy-virt (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : add_to_swap+0xbc/0x158 lr : add_to_swap+0xbc/0x158 sp : ffff800087f37340 x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 Call trace: add_to_swap+0xbc/0x158 shrink_folio_list+0x12ac/0x2648 shrink_inactive_list+0x318/0x948 shrink_lruvec+0x450/0x720 shrink_node_memcgs+0x280/0x4a8 shrink_node+0x128/0x978 balance_pgdat+0x4f0/0xb20 kswapd+0x228/0x438 kthread+0x214/0x230 ret_from_fork+0x10/0x20 I can reproduce this issue with the following steps: 1) When a dirty swapcache page is isolated by reclaim process and the page isn't locked, inject memory failure for the page. me_swapcache_dirty() clears uptodate flag and tries to delete from lru, but fails. Reclaim process will put the hwpoisoned page back to lru. 2) The process that maps the hwpoisoned page exits, the page is deleted the page will never be freed and will be in the lru forever. 3) If we trigger a reclaim again and tries to reclaim the page, add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is cleared. To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap it in shrink_folio_list(), otherwise the folio will fail to be unmaped by hwpoison_user_mappings() since the folio isn't in lru list.", "cve_priority": "medium", "cve_public_date": "2025-05-08 07:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-20.20 -proposed tracker (LP: #2110652)", "", " * Rotate the Canonical Livepatch key (LP: #2111244)", " - [Config] Prepare for Canonical Livepatch key rotation", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268)", " - soc: qcom: ice: introduce devm_of_qcom_ice_get", " - mmc: sdhci-msm: fix dev reference leaked through of_qcom_ice_get", " - PM: EM: use kfree_rcu() to simplify the code", " - PM: EM: Address RCU-related sparse warnings", " - media: i2c: imx214: Use subdev active state", " - media: i2c: imx214: Simplify with dev_err_probe()", " - media: i2c: imx214: Convert to CCI register access helpers", " - media: i2c: imx214: Replace register addresses with macros", " - media: i2c: imx214: Check number of lanes from device tree", " - media: i2c: imx214: Fix link frequency validation", " - media: ov08x40: Move ov08x40_identify_module() function up", " - media: ov08x40: Add missing ov08x40_identify_module() call on stream-start", " - iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary", " return value check", " - iio: adc: ad7768-1: Fix conversion result sign", " - of: resolver: Simplify of_resolve_phandles() using __free()", " - of: resolver: Fix device node refcount leakage in of_resolve_phandles()", " - scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get", " - PCI/MSI: Convert pci_msi_ignore_mask to per MSI domain flag", " - PCI/MSI: Handle the NOMASK flag correctly for all PCI/MSI backends", " - PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads", " - irqchip/renesas-rzv2h: Simplify rzv2h_icu_init()", " - irqchip/renesas-rzv2h: Add struct rzv2h_hw_info with t_offs variable", " - irqchip/renesas-rzv2h: Prevent TINT spurious interrupt", " - drm/xe/ptl: Apply Wa_14023061436", " - drm/xe/xe3lpg: Add Wa_13012615864", " - drm/xe: Add performance tunings to debugfs", " - drm/xe/rtp: Drop sentinels from arg to xe_rtp_process_to_sr()", " - drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change", " - lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP", " - ceph: Fix incorrect flush end position calculation", " - dma/contiguous: avoid warning about unused size_bytes", " - virtio_pci: Use self group type for cap commands", " - cpufreq: cppc: Fix invalid return value in .get() callback", " - cpufreq: Do not enable by default during compile testing", " - cpufreq: fix compile-test defaults", " - btrfs: avoid page_lockend underflow in btrfs_punch_hole_lock_range()", " - cgroup/cpuset-v1: Add missing support for cpuset_v2_mode", " - vhost-scsi: Add better resource allocation failure handling", " - vhost-scsi: Fix vhost_scsi_send_bad_target()", " - vhost-scsi: Fix vhost_scsi_send_status()", " - net/mlx5: Move ttc allocation after switch case to prevent leaks", " - scsi: core: Clear flags for scsi_cmnd that did not complete", " - net: enetc: register XDP RX queues with frag_size", " - net: enetc: refactor bulk flipping of RX buffers to separate function", " - net: enetc: fix frame corruption on bpf_xdp_adjust_head/tail() and XDP_PASS", " - net: lwtunnel: disable BHs when required", " - net: phylink: force link down on major_config failure", " - net: phylink: fix suspend/resume with WoL enabled and link down", " - net: phy: leds: fix memory leak", " - virtio-net: Refactor napi_enable paths", " - virtio-net: Refactor napi_disable paths", " - virtio-net: disable delayed refill when pausing rx", " - net: ethernet: mtk_eth_soc: net: revise NETSYSv3 hardware configuration", " - fix a couple of races in MNT_TREE_BENEATH handling by do_move_mount()", " - net: dsa: mt7530: sync driver-specific behavior of MT7531 variants", " - pds_core: Prevent possible adminq overflow/stuck condition", " - pds_core: Remove unnecessary check in pds_client_adminq_cmd()", " - net: phy: Add helper for getting tx amplitude gain", " - net: phy: dp83822: Add support for changing the transmit amplitude voltage", " - net: dp83822: Fix OF_MDIO config check", " - net: stmmac: fix dwmac1000 ptp timestamp status offset", " - net: stmmac: fix multiplication overflow when reading timestamp", " - block: never reduce ra_pages in blk_apply_bdi_limits", " - bdev: use bdev_io_min() for statx block size", " - block: move blkdev_{get,put} _no_open prototypes out of blkdev.h", " - block: remove the backing_inode variable in bdev_statx", " - block: don't autoload drivers on stat", " - iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE", " - riscv: Replace function-like macro by static inline function", " - ublk: remove io_cmds list in ublk_queue", " - ublk: comment on ubq->canceling handling in ublk_queue_rq()", " - ublk: implement ->queue_rqs()", " - ublk: remove unused cmd argument to ublk_dispatch_req()", " - ublk: call ublk_dispatch_req() for handling UBLK_U_IO_NEED_GET_DATA", " - splice: remove duplicate noinline from pipe_clear_nowait", " - fs/xattr: Fix handling of AT_FDCWD in setxattrat(2) and getxattrat(2)", " - bpf: Add namespace to BPF internal symbols", " - Revert \"drm/meson: vclk: fix calculation of 59.94 fractional rates\"", " - drm/meson: use unsigned long long / Hz for frequency types", " - perf/x86: Fix non-sampling (counting) events on certain x86 platforms", " - LoongArch: Select ARCH_USE_MEMTEST", " - LoongArch: Make regs_irqs_disabled() more clear", " - LoongArch: Make do_xyz() exception handlers more robust", " - net: stmmac: simplify phylink_suspend() and phylink_resume() calls", " - net: phylink: add phylink_prepare_resume()", " - net: stmmac: address non-LPI resume failures properly", " - net: stmmac: socfpga: remove phy_resume() call", " - net: phylink: add functions to block/unblock rx clock stop", " - net: stmmac: block PHY RXC clock-stop", " - netfilter: fib: avoid lookup if socket is available", " - virtio_console: fix missing byte order handling for cols and rows", " - sched_ext: Use kvzalloc for large exit_dump allocation", " - crypto: atmel-sha204a - Set hwrng quality to lowest possible", " - net: selftests: initialize TCP header and skb payload with zero", " - net: phy: microchip: force IRQ polling mode for lan88xx", " - mptcp: pm: Defer freeing of MPTCP userspace path manager entries", " - scsi: mpi3mr: Fix pending I/O counter", " - rust: firmware: Use `ffi::c_char` type in `FwFunc`", " - drm: panel: jd9365da: fix reset signal polarity in unprepare", " - drm/amd/display: Fix gpu reset in multidisplay config", " - drm/amd/display: Force full update in gpu reset", " - drm/amd/display: Fix ACPI edid parsing on some Lenovo systems", " - x86/insn: Fix CTEST instruction decoding", " - x86/mm: Fix _pgd_alloc() for Xen PV mode", " - selftests/pcie_bwctrl: Fix test progs list", " - binder: fix offset calculation in debug log", " - LoongArch: Handle fp, lsx, lasx and lbt assembly symbols", " - LoongArch: Remove a bogus reference to ZONE_DMA", " - LoongArch: KVM: Fix multiple typos of KVM code", " - LoongArch: KVM: Fully clear some CSRs when VM reboot", " - LoongArch: KVM: Fix PMU pass-through issue if VM exits to host finally", " - io_uring: fix 'sync' handling of io_fallback_tw()", " - KVM: SVM: Allocate IR data using atomic allocation", " - cxl/core/regs.c: Skip Memory Space Enable check for RCD and RCH Ports", " - ata: libata-scsi: Improve CDL control", " - ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type", " - ata: libata-scsi: Fix ata_msense_control_ata_feature()", " - USB: storage: quirk for ADATA Portable HDD CH94", " - scsi: Improve CDL control", " - mei: me: add panther lake H DID", " - KVM: x86: Explicitly treat routing entry type changes as changes", " - KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer", " - char: misc: register chrdev region with all possible minors", " - misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack", " - firmware: stratix10-svc: Add of_platform_default_populate()", " - serial: msm: Configure correct working mode before starting earlycon", " - serial: sifive: lock port in startup()/shutdown() callbacks", " - USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe", " - USB: serial: option: add Sierra Wireless EM9291", " - USB: serial: simple: add OWON HDS200 series oscilloscope support", " - xhci: Limit time spent with xHC interrupts disabled during bus resume", " - usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines", " - usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling", " - USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02)", " - usb: dwc3: xilinx: Prevent spike in reset signal", " - usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive", " - usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive", " - USB: VLI disk crashes if LPM is used", " - usb: typec: class: Invalidate USB device pointers on partner unregistration", " - usb: typec: class: Unlocked on error in typec_register_partner()", " - USB: wdm: handle IO errors in wdm_wwan_port_start", " - USB: wdm: close race between wdm_open and wdm_wwan_port_stop", " - USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context", " - USB: wdm: add annotation", " - crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()", " - selftests/bpf: Fix stdout race condition in traffic monitor", " - pinctrl: renesas: rza2: Fix potential NULL pointer dereference", " - pinctrl: mcp23s08: Get rid of spurious level interrupts", " - MIPS: cm: Detect CM quirks from device tree", " - crypto: ccp - Add support for PCI device 0x1134", " - crypto: lib/Kconfig - Fix lib built-in failure when arch is modular", " - clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec()", " - parisc: PDT: Fix missing prototype warning", " - s390/tty: Fix a potential memory leak bug", " - clk: renesas: rzv2h: Adjust for CPG_BUS_m_MSTOP starting from m = 1", " - selftests/bpf: Fix cap_enable_effective() return code", " - bpf: bpftool: Setting error code in do_loader()", " - bpf: Only fails the busy counter check in bpf_cgrp_storage_get if it creates", " storage", " - bpf: Reject attaching fexit/fmod_ret to __noreturn functions", " - mailbox: pcc: Fix the possible race in updation of chan_in_use flag", " - mailbox: pcc: Always clear the platform ack interrupt first", " - staging: gpib: Use min for calculating transfer length", " - usb: host: max3421-hcd: Add missing spi_device_id table", " - usb: typec: ucsi: return CCI and message from sync_control callback", " - usb: typec: ucsi: ccg: move command quirks to ucsi_ccg_sync_control()", " - iio: adc: ad4695: make ad4695_exit_conversion_mode() more robust", " - fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size", " - usb: dwc3: gadget: Refactor loop to avoid NULL endpoints", " - usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield", " - dmaengine: bcm2835-dma: fix warning when CONFIG_PM=n", " - usb: xhci: Complete 'error mid TD' transfers when handling Missed Service", " - xhci: Handle spurious events on Etron host isoc enpoints", " - i3c: master: svc: Add support for Nuvoton npcm845 i3c", " - dmaengine: dmatest: Fix dmatest waiting less when interrupted", " - usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running", " - phy: rockchip: usbdp: Avoid call hpd_event_trigger in dp_phy_init", " - usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func", " - thunderbolt: Scan retimers after device router has been enumerated", " - iommu/arm-smmu-v3: Set MEV bit in nested STE for DoS mitigations", " - objtool: Silence more KCOV warnings", " - objtool, panic: Disable SMAP in __stack_chk_fail()", " - objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in", " wcd934x_slim_irq_handler()", " - objtool, regulator: rk808: Remove potential undefined behavior in", " rk806_set_mode_dcdc()", " - objtool, lkdtm: Obfuscate the do_nothing() pointer", " - qibfs: fix _another_ leak", " - riscv: tracing: Fix __write_overflow_field in ftrace_partial_regs()", " - ntb: reduce stack usage in idt_scan_mws", " - ntb_hw_amd: Add NTB PCI ID for new gen CPU", " - 9p/trans_fd: mark concurrent read and writes to p9_conn->err", " - rtc: pcf85063: do a SW reset if POR failed", " - tracing: Enforce the persistent ring buffer to be page aligned", " - kbuild, rust: use -fremap-path-prefix to make paths relative", " - kbuild: add dependency from vmlinux to sorttable", " - sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP", " - KVM: s390: Don't use %pK through tracepoints", " - KVM: s390: Don't use %pK through debug printing", " - cgroup/cpuset: Don't allow creation of local partition over a remote one", " - selftests: ublk: fix test_stripe_04", " - xen: Change xen-acpi-processor dom0 dependency", " - pwm: Let pwm_set_waveform() succeed even if lowlevel driver rounded up", " - pwm: axi-pwmgen: Let .round_waveform_tohw() signal when request was rounded", " up", " - nvme: requeue namespace scan on missed AENs", " - ACPI: EC: Set ec_no_wakeup for Lenovo Go S", " - ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls", " - drm/amdkfd: sriov doesn't support per queue reset", " - drm/amdgpu: Increase KIQ invalidate_tlbs timeout", " - drm/xe/xe3lpg: Apply Wa_14022293748, Wa_22019794406", " - nvme: re-read ANA log page after ns scan completes", " - nvme: multipath: fix return value of nvme_available_path", " - objtool: Stop UNRET validation on UD2", " - gpiolib: of: Move Atmel HSMCI quirk up out of the regulator comment", " - x86/xen: disable CPU idle and frequency drivers for PVH dom0", " - selftests/mincore: Allow read-ahead pages to reach the end of the file", " - x86/bugs: Use SBPB in write_ibpb() if applicable", " - x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline", " - x86/bugs: Don't fill RSB on context switch with eIBRS", " - nvmet-fc: take tgtport reference only once", " - nvmet-fc: put ref when assoc->del_work is already scheduled", " - cifs: Fix encoding of SMB1 Session Setup Kerberos Request in non-UNICODE", " mode", " - timekeeping: Add a lockdep override in tick_freeze()", " - cifs: Fix querying of WSL CHR and BLK reparse points over SMB1", " - ext4: make block validity check resistent to sb bh corruption", " - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes", " - scsi: ufs: exynos: Ensure pre_link() executes before exynos_ufs_phy_init()", " - scsi: ufs: exynos: Enable PRDT pre-fetching with UFSHCD_CAP_CRYPTO", " - scsi: ufs: exynos: Move phy calls to .exit() callback", " - scsi: ufs: exynos: gs101: Put UFS device in reset on .suspend()", " - scsi: pm80xx: Set phy_attached to zero when device is gone", " - ASoC: fsl_asrc_dma: get codec or cpu dai from backend", " - ASoC: codecs: Add of_match_table for aw888081 driver", " - x86/i8253: Call clockevent_i8253_disable() with interrupts disabled", " - platform/x86: x86-android-tablets: Add \"9v\" to Vexia EDU ATLA 10 tablet", " symbols", " - platform/x86: x86-android-tablets: Add Vexia Edu Atla 10 tablet 5V data", " - iomap: skip unnecessary ifs_block_is_uptodate check", " - riscv: Provide all alternative macros all the time", " - spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts", " - spi: tegra210-quad: add rate limiting and simplify timeout error message", " - ubsan: Fix panic from test_ubsan_out_of_bounds", " - nvmet: pci-epf: cleanup link state management", " - x86/cpu: Add CPU model number for Bartlett Lake CPUs with Raptor Cove cores", " - md/raid1: Add check for missing source disk in process_checks()", " - drm/amdgpu: use a dummy owner for sysfs triggered cleaner shaders v4", " - drm/amd: Forbid suspending into non-default suspend states", " - drm/amdgpu: Use the right function for hdp flush", " - ublk: add ublk_force_abort_dev()", " - ublk: rely on ->canceling for dealing with ublk_nosrv_dev_should_queue_io", " - Revert \"drivers: core: synchronize really_probe() and dev_uevent()\"", " - driver core: introduce device_set_driver() helper", " - comedi: jr3_pci: Fix synchronous deletion of timer", " - crypto: lib/Kconfig - Hide arch options from user", " - [Config] updateconfigs for crypto libs", " - media: i2c: imx214: Fix uninitialized variable in imx214_set_ctrl()", " - MIPS: cm: Fix warning if MIPS_CM is disabled", " - net: phy: dp83822: fix transmit amplitude if CONFIG_OF_MDIO not defined", " - rust: kbuild: skip `--remap-path-prefix` for `rustdoc`", " - ublk: don't fail request for recovery & reissue in case of ubq->canceling", " - nvme: fixup scan failure for non-ANA multipath controllers", " - usb: xhci: Fix Short Packet handling rework ignoring errors", " - objtool: Ignore end-of-section jumps for KCOV/GCOV", " - objtool: Silence more KCOV warnings, part 2", " - crypto: Kconfig - Select LIB generic option", " - Linux 6.14.5", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37799", " - vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37800", " - driver core: fix potential NULL pointer dereference in dev_uevent()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37801", " - spi: spi-imx: Add check for spi_imx_setupxfer()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37802", " - ksmbd: fix WARNING \"do not call blocking ops when !TASK_RUNNING\"", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37876", " - netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37877", " - iommu: Clear iommu-dma ops on cleanup", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37878", " - perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37803", " - udmabuf: fix a buf size overflow issue during udmabuf creation", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37804", " - io_uring: always do atomic put from iowq", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37879", " - 9p/net: fix improper handling of bogus negative read/write replies", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37880", " - um: work around sched_yield not yielding in time-travel mode", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37881", " - usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37882", " - usb: xhci: Fix isochronous Ring Underrun/Overrun event handling", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37805", " - sound/virtio: Fix cancel_sync warnings on uninitialized work_structs", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37806", " - fs/ntfs3: Keep write operations atomic", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37883", " - s390/sclp: Add check for get_zeroed_page()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37884", " - bpf: Fix deadlock between rcu_tasks_trace and event_mutex.", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37807", " - bpf: Fix kmemleak warning for percpu hashmap", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37808", " - crypto: null - Use spin lock instead of mutex", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37809", " - usb: typec: class: Fix NULL pointer access", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37810", " - usb: dwc3: gadget: check that event count does not exceed event buffer", " length", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37811", " - usb: chipidea: ci_hdrc_imx: fix usbmisc handling", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37812", " - usb: cdns3: Fix deadlock when using NCM gadget", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37813", " - usb: xhci: Fix invalid pointer dereference in Etron workaround", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37814", " - tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37815", " - misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37885", " - KVM: x86: Reset IRTE to host control if *new* route isn't postable", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37816", " - mei: vsc: Fix fortify-panic caused by invalid counted_by() use", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37817", " - mcb: fix a double free bug in chameleon_parse_gdd()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37818", " - LoongArch: Return NULL from huge_pte_offset() for invalid PMD", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37819", " - irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37820", " - xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37821", " - sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37822", " - riscv: uprobes: Add missing fence.i after building the XOL buffer", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37886", " - pds_core: make wait_context part of q_info", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37887", " - pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37823", " - net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37797", " - net_sched: hfsc: Fix a UAF vulnerability in class handling", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37824", " - tipc: fix NULL pointer dereference in tipc_mon_reinit_self()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37825", " - nvmet: fix out-of-bounds access in nvmet_enable_port", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37826", " - scsi: ufs: core: Add NULL check in ufshcd_mcq_compl_pending_transfer()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37888", " - net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37827", " - btrfs: zoned: return EIO on RAID1 block group write pointer mismatch", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37828", " - scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37829", " - cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37830", " - cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37831", " - cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate()", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37832", " - cpufreq: sun50i: prevent out-of-bounds access", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37833", " - net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads", "", " * Plucky update: v6.14.5 upstream stable release (LP: #2111268) //", " CVE-2025-37834", " - mm/vmscan: don't try to reclaim hwpoison folio", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] update annotations scripts", "" ], "package": "linux", "version": "6.14.0-20.20", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2110652, 2111244, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 2111268, 1786013 ], "author": "Stefan Bader ", "date": "Tue, 20 May 2025 12:39:41 +0200" }, { "cves": [ { "cve": "CVE-2025-37838", "url": "https://ubuntu.com/security/CVE-2025-37838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().", "cve_priority": "medium", "cve_public_date": "2025-04-18 15:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-17.17 -proposed tracker (LP: #2109741)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.04.14)", "", " * Plucky update: v6.14.4 upstream stable release (LP: #2109367)", " - scsi: hisi_sas: Enable force phy when SATA disk directly connected", " - wifi: at76c50x: fix use after free access in at76_disconnect", " - wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()", " - wifi: mac80211: Purge vif txq in ieee80211_do_stop()", " - wifi: brcmfmac: fix memory leak in brcmf_get_module_param", " - wifi: wl1251: fix memory leak in wl1251_tx_work", " - scsi: iscsi: Fix missing scsi_host_put() in error path", " - scsi: smartpqi: Use is_kdump_kernel() to check for kdump", " - md/raid10: fix missing discard IO accounting", " - md/md-bitmap: fix stats collection for external bitmaps", " - ASoC: dwc: always enable/disable i2s irqs", " - ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()", " - crypto: tegra - Fix IV usage for AES ECB", " - ovl: remove unused forward declaration", " - RDMA/bnxt_re: Fix budget handling of notification queue", " - RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()", " - RDMA/hns: Fix wrong maximum DMA segment size", " - ALSA: hda/cirrus_scodec_test: Don't select dependencies", " - ALSA: hda/realtek - Fixed ASUS platform headset Mic issue", " - ASoC: cs42l43: Reset clamp override on jack removal", " - RDMA/core: Silence oversized kvmalloc() warning", " - firmware: cs_dsp: test_bin_error: Fix uninitialized data used as fw version", " - Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address", " - Bluetooth: btrtl: Prevent potential NULL dereference", " - Bluetooth: qca: fix NV variant for one of WCN3950 SoCs", " - Bluetooth: l2cap: Check encryption key size on incoming connection", " - RDMA/bnxt_re: Remove unusable nq variable", " - ipv6: add exception routes to GC list in rt6_insert_exception", " - xen: fix multicall debug feature", " - mlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show()", " - wifi: iwlwifi: pcie: set state to no-FW before reset handshake", " - Revert \"wifi: mac80211: Update skb's control block key in", " ieee80211_tx_dequeue()\"", " - igc: fix PTM cycle trigger logic", " - igc: increase wait time before retrying PTM", " - igc: move ktime snapshot into PTM retry loop", " - igc: handle the IGC_PTP_ENABLED flag correctly", " - igc: cleanup PTP module if probe fails", " - igc: add lock preventing multiple simultaneous PTM transactions", " - perf tools: Remove evsel__handle_error_quirks()", " - dt-bindings: soc: fsl: fsl,ls1028a-reset: Fix maintainer entry", " - smc: Fix lockdep false-positive for IPPROTO_SMC.", " - test suite: use %zu to print size_t", " - selftests: mincore: fix tmpfs mincore test failure", " - pds_core: fix memory leak in pdsc_debugfs_add_qcq()", " - ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll()", " - net: mctp: Set SOCK_RCU_FREE", " - net: hibmcge: fix incorrect pause frame statistics issue", " - net: hibmcge: fix incorrect multicast filtering issue", " - net: hibmcge: fix wrong mtu log issue", " - net: hibmcge: fix not restore rx pause mac addr after reset issue", " - block: fix resource leak in blk_register_queue() error path", " - netlink: specs: ovs_vport: align with C codegen capabilities", " - net: openvswitch: fix nested key length validation in the set() action", " - can: rockchip_canfd: fix broken quirks checks", " - net: ngbe: fix memory leak in ngbe_probe() error path", " - octeontx2-pf: handle otx2_mbox_get_rsp errors", " - net: ethernet: ti: am65-cpsw: fix port_np reference counting", " - eth: bnxt: fix missing ring index trim on error path", " - loop: aio inherit the ioprio of original request", " - loop: stop using vfs_iter_{read,write} for buffered I/O", " - nvmet: pci-epf: always fully initialize completion entries", " - nvmet: pci-epf: clear CC and CSTS when disabling the controller", " - ata: libata-sata: Save all fields from sense data descriptor", " - cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path", " - netlink: specs: rt-link: add an attr layer around alt-ifname", " - netlink: specs: rtnetlink: attribute naming corrections", " - netlink: specs: rt-link: adjust mctp attribute naming", " - netlink: specs: rt-neigh: prefix struct nfmsg members with ndm", " - net: b53: enable BPDU reception for management port", " - net: bridge: switchdev: do not notify new brentries as changed", " - net: txgbe: fix memory leak in txgbe_probe() error path", " - net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never", " registered", " - net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported", " - net: dsa: clean up FDB, MDB, VLAN entries on unbind", " - net: dsa: free routing table on probe failure", " - net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails", " - ptp: ocp: fix start time alignment in ptp_ocp_signal_set", " - netfilter: conntrack: fix erronous removal of offload bit", " - net: ti: icss-iep: Add pwidth configuration for perout signal", " - net: ti: icss-iep: Add phase offset configuration for perout signal", " - net: ti: icss-iep: Fix possible NULL pointer dereference for perout request", " - net: ethernet: mtk_eth_soc: reapply mdc divider on reset", " - net: ethernet: mtk_eth_soc: correct the max weight of the queue limit for", " 100Mbps", " - net: ethernet: mtk_eth_soc: revise QDMA packet scheduler settings", " - riscv: Use kvmalloc_array on relocation_hashtable", " - riscv: Properly export reserved regions in /proc/iomem", " - riscv: module: Fix out-of-bounds relocation access", " - riscv: module: Allocate PLT entries for R_RISCV_PLT32", " - kunit: qemu_configs: SH: Respect kunit cmdline", " - thermal: intel: int340x: Fix Panther Lake DLVR support", " - riscv: KGDB: Do not inline arch_kgdb_breakpoint()", " - riscv: KGDB: Remove \".option norvc/.option rvc\" for kgdb_compiled_break", " - cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS", " - objtool/rust: add one more `noreturn` Rust function for Rust 1.86.0", " - rust: helpers: Remove volatile qualifier from io helpers", " - rust: kasan/kbuild: fix missing flags on first build", " - rust: disable `clippy::needless_continue`", " - rust: kbuild: Don't export __pfx symbols", " - rust: kbuild: use `pound` to support GNU Make < 4.3", " - writeback: fix false warning in inode_to_wb()", " - Revert \"PCI: Avoid reset when disabled via sysfs\"", " - ASoC: fsl: fsl_qmc_audio: Reset audio data pointers on TRIGGER_START event", " - ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate", " - ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels", " - ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S16", " - ASoC: qcom: Fix sc7280 lpass potential buffer overflow", " - accel/ivpu: Fix the NPU's DPU frequency calculation", " - alloc_tag: handle incomplete bulk allocations in vm_module_tags_populate", " - asus-laptop: Fix an uninitialized variable", " - block: integrity: Do not call set_page_dirty_lock()", " - drm/v3d: Fix Indirect Dispatch configuration for V3D 7.1.6 and later", " - drm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check", " - drm/msm/dpu: drop rogue intr_tear_rd_ptr values", " - dma-buf/sw_sync: Decrement refcount on error in sw_sync_ioctl_get_deadline()", " - nfs: add missing selections of CONFIG_CRC32", " - nfsd: decrease sc_count directly if fail to queue dl_recall", " - i2c: atr: Fix wrong include", " - eventpoll: abstract out ep_try_send_events() helper", " - eventpoll: Set epoll timeout if it's in the future", " - ftrace: fix incorrect hash size in register_ftrace_direct()", " - drm/msm/a6xx+: Don't let IB_SIZE overflow", " - Bluetooth: l2cap: Process valid commands in too long frame", " - Bluetooth: vhci: Avoid needless snprintf() calls", " - btrfs: ioctl: don't free iov when btrfs_encoded_read() returns -EAGAIN", " - btrfs: correctly escape subvol in btrfs_show_options()", " - cpufreq/sched: Explicitly synchronize limits_changed flag handling", " - crypto: caam/qi - Fix drv_ctx refcount bug", " - hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key", " - i2c: cros-ec-tunnel: defer probe if parent EC is not present", " - isofs: Prevent the use of too small fid", " - lib/iov_iter: fix to increase non slab folio refcount", " - loop: properly send KOBJ_CHANGED uevent for disk device", " - loop: LOOP_SET_FD: send uevents for partitions", " - mm/compaction: fix bug in hugetlb handling pathway", " - mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable()", " - mm: fix filemap_get_folios_contig returning batches of identical folios", " - mm: fix apply_to_existing_page_range()", " - ovl: don't allow datadir only", " - ksmbd: Fix dangling pointer in krb_authenticate", " - ksmbd: fix use-after-free in __smb2_lease_break_noti()", " - ksmbd: fix use-after-free in smb_break_all_levII_oplock()", " - ksmbd: Prevent integer overflow in calculation of deadtime", " - ksmbd: fix the warning from __kernel_write_iter", " - Revert \"smb: client: Fix netns refcount imbalance causing leaks and use-", " after-free\"", " - Revert \"smb: client: fix TCP timers deadlock after rmmod\"", " - riscv: Avoid fortify warning in syscall_get_arguments()", " - selftests/mm: generate a temporary mountpoint for cgroup filesystem", " - slab: ensure slab->obj_exts is clear in a newly allocated slab page", " - smb3 client: fix open hardlink on deferred close file error", " - string: Add load_unaligned_zeropad() code path to sized_strscpy()", " - tracing: Fix filter string testing", " - virtiofs: add filesystem context source name check", " - x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any", " unreleased standalone Zen5 microcode patches", " - x86/cpu/amd: Fix workaround for erratum 1054", " - x86/boot/sev: Avoid shared GHCB page for early memory acceptance", " - scsi: megaraid_sas: Block zero-length ATA VPD inquiry", " - scsi: ufs: exynos: Move UFS shareability value to drvdata", " - scsi: ufs: exynos: Disable iocc if dma-coherent property isn't set", " - scsi: ufs: exynos: Ensure consistent phy reference counts", " - RDMA/cma: Fix workqueue crash in cma_netevent_work_handler", " - RAS/AMD/ATL: Include row[13] bit in row retirement", " - RAS/AMD/FMPM: Get masked address", " - platform/x86: amd: pmf: Fix STT limits", " - perf/x86/intel: Allow to update user space GPRs from PEBS records", " - perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR", " - perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX", " - perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR", " - drm/repaper: fix integer overflows in repeat functions", " - drm/ast: Fix ast_dp connection status", " - drm/msm/dsi: Add check for devm_kstrdup()", " - drm/msm/a6xx: Fix stale rpmh votes from GPU", " - drm/amdgpu: Prefer shadow rom when available", " - drm/amd/display: prevent hang on link training fail", " - drm/amd: Handle being compiled without SI or CIK support better", " - drm/amd/display: Actually do immediate vblank disable", " - drm/amd/display: Increase vblank offdelay for PSR panels", " - drm/amd/pm: Prevent division by zero", " - drm/amd/pm/powerplay: Prevent division by zero", " - drm/amd/pm: Add zero RPM enabled OD setting support for SMU14.0.2", " - drm/amd/pm/smu11: Prevent division by zero", " - drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero", " - drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero", " - drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero", " - drm/amdgpu/mes12: optimize MES pipe FW version fetching", " - drm/i915/vrr: Add vrr.vsync_{start, end} in vrr_params_changed", " - drm/xe: Use local fence in error path of xe_migrate_clear", " - drm/virtio: Don't attach GEM to a non-created context in gem_object_open()", " - drm/amd/display: Add HP Elitebook 645 to the quirk list for eDP on DP1", " - drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()", " - drm/amd/display: Protect FPU in dml21_copy()", " - drm/amdgpu/mes11: optimize MES pipe FW version fetching", " - drm/amdgpu/dma_buf: fix page_link check", " - drm/nouveau: prime: fix ttm_bo_delayed_delete oops", " - drm/imagination: fix firmware memory leaks", " - drm/imagination: take paired job reference", " - drm/virtio: Fix missed dmabuf unpinning in error path of prepare_fb()", " - drm/sti: remove duplicate object names", " - drm/i915: Fix scanline_offset for LNL+ and BMG+", " - drm/xe: Fix an out-of-bounds shift when invalidating TLB", " - Revert \"UBUNTU: SAUCE: drm/xe/bmg: Add one additional PCI ID\"", " - drm/xe/bmg: Add one additional PCI ID", " - drm/i915/gvt: fix unterminated-string-initialization warning", " - drm/i915/xe2hpd: Identify the memory type for SKUs with GDDR + ECC", " - drm/i915/dp: Reject HBR3 when sink doesn't support TPS4", " - drm/amdgpu: immediately use GTT for new allocations", " - drm/amd/display: Do not enable Replay and PSR while VRR is on in", " amdgpu_dm_commit_planes()", " - drm/amd/display: Protect FPU in dml2_init()/dml21_init()", " - drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1", " - drm/xe/dma_buf: stop relying on placement in unmap", " - drm/xe/userptr: fix notifier vs folio deadlock", " - drm/xe: Set LRC addresses before guc load", " - drm/i915/display: Add macro for checking 3 DSC engines", " - drm/i915/dp: Check for HAS_DSC_3ENGINES while configuring DSC slices", " - drm/amd/display/dml2: use vzalloc rather than kzalloc", " - drm/amdgpu: fix warning of drm_mm_clean", " - drm/mgag200: Fix value in register", " - io_uring: don't post tag CQEs on file/buffer registration failure", " - arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1", " - arm64/sysreg: Add register fields for HDFGRTR2_EL2", " - arm64/sysreg: Add register fields for HDFGWTR2_EL2", " - arm64/sysreg: Add register fields for HFGITR2_EL2", " - arm64/sysreg: Add register fields for HFGRTR2_EL2", " - arm64/sysreg: Add register fields for HFGWTR2_EL2", " - arm64/boot: Enable EL2 requirements for FEAT_PMUv3p9", " - cpufreq: Reference count policy in cpufreq_update_limits()", " - scripts: generate_rust_analyzer: Add ffi crate", " - platform/x86: alienware-wmi-wmax: Add G-Mode support to Alienware m16 R1", " - platform/x86: alienware-wmi-wmax: Extend support to more laptops", " - platform/x86: msi-wmi-platform: Rename \"data\" variable", " - platform/x86: msi-wmi-platform: Workaround a ACPI firmware bug", " - drm/amd/display: Temporarily disable hostvm on DCN31", " - nvmet-fc: Remove unused functions", " - mm/vma: add give_up_on_oom option on modify/merge, use in uffd release", " - Revert \"wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process\"", " - MIPS: dec: Declare which_prom() as static", " - MIPS: cevt-ds1287: Add missing ds1287.h include", " - MIPS: ds1287: Match ds1287_set_base_clock() function types", " - wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process", " - Linux 6.14.4", "", " * Plucky update: v6.14.3 upstream stable release (LP: #2108854)", " - ASoC: Intel: adl: add 2xrt1316 audio configuration", " - cgroup/cpuset: Fix incorrect isolated_cpus update in", " update_parent_effective_cpumask()", " - cgroup/cpuset: Fix error handling in remote_partition_disable()", " - cgroup/cpuset: Fix race between newly created partition and dying one", " - tracing: fprobe: Cleanup fprobe hash when module unloading", " - gpiolib: of: Fix the choice for Ingenic NAND quirk", " - selftests/futex: futex_waitv wouldblock test should fail", " - ublk: fix handling recovery & reissue in ublk_abort_queue()", " - drm/virtio: Fix flickering issue seen with imported dmabufs", " - drm/i915: Disable RPG during live selftest", " - x86/acpi: Don't limit CPUs to 1 for Xen PV guests due to disabled ACPI", " - net: ethtool: fix ethtool_ringparam_get_cfg() returns a hds_thresh value", " always as 0.", " - drm/xe/hw_engine: define sysfs_ops on all directories", " - drm/xe: Restore EIO errno return when GuC PC start fails", " - ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()", " - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret()", " - tipc: fix memory leak in tipc_link_xmit", " - codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()", " - net: tls: explicitly disallow disconnect", " - octeontx2-pf: qos: fix VF root node parent queue index", " - tc: Ensure we have enough buffer space when sending filter netlink", " notifications", " - net: ethtool: Don't call .cleanup_data when prepare_data fails", " - drm/tests: modeset: Fix drm_display_mode memory leak", " - drm/tests: helpers: Create kunit helper to destroy a drm_display_mode", " - drm/tests: cmdline: Fix drm_display_mode memory leak", " - drm/tests: modes: Fix drm_display_mode memory leak", " - drm/tests: probe-helper: Fix drm_display_mode memory leak", " - net: libwx: handle page_pool_dev_alloc_pages error", " - cifs: Fix support for WSL-style symlinks", " - ata: sata_sx4: Add error handling in pdc20621_i2c_read()", " - drm/i915/huc: Fix fence not released on early probe errors", " - s390/cpumf: Fix double free on error in cpumf_pmu_event_init()", " - nvmet-fcloop: swap list_add_tail arguments", " - net_sched: sch_sfq: use a temporary work area for validating configuration", " - net_sched: sch_sfq: move the limit validation", " - x86/cpu: Avoid running off the end of an AMD erratum table", " - smb: client: fix UAF in decryption with multichannel", " - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend()", " - net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-", " controlled PHY", " - ipv6: Align behavior across nexthops during path selection", " - net: ppp: Add bound checking for skb data on ppp_sync_txmung", " - nft_set_pipapo: fix incorrect avx2 match of 5th field octet", " - ethtool: cmis_cdb: Fix incorrect read / write length extension", " - iommu/exynos: Fix suspend/resume with IDENTITY domain", " - iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group", " - net: libwx: Fix the wrong Rx descriptor field", " - perf/core: Simplify the perf_event_alloc() error path", " - perf: Fix hang while freeing sigtrap event", " - fs: consistently deref the files table with rcu_dereference_raw()", " - umount: Allow superblock owners to force umount", " - srcu: Force synchronization for srcu_get_delay()", " - pm: cpupower: bench: Prevent NULL dereference on malloc failure", " - irqchip/gic-v3: Add Rockchip 3568002 erratum workaround", " - [Config] updateconfigs for ROCKCHIP_ERRATUM_3568002", " - x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW", " - x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC <", " 14.2", " - x86/ia32: Leave NULL selector values 0~3 unchanged", " - x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when", " running in a virtual machine", " - perf: arm_pmu: Don't disable counter in armpmu_add()", " - perf/dwc_pcie: fix some unreleased resources", " - perf/dwc_pcie: fix duplicate pci_dev devices", " - PM: hibernate: Avoid deadlock in hibernate_compressor_param_set()", " - Flush console log from kernel_power_off()", " - cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend", " - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD", " - xen/mcelog: Add __nonstring annotations for unterminated strings", " - zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work", " around compiler segfault", " - tracing: Disable branch profiling in noinstr code", " - platform/chrome: cros_ec_lpc: Match on Framework ACPI device", " - ASoC: SOF: topology: Use krealloc_array() to replace krealloc()", " - HID: pidff: Convert infinite length from Linux API to PID standard", " - HID: pidff: Do not send effect envelope if it's empty", " - HID: pidff: Add MISSING_DELAY quirk and its detection", " - HID: pidff: Add MISSING_PBO quirk and its detection", " - HID: pidff: Add PERMISSIVE_CONTROL quirk", " - HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol", " - HID: pidff: Add FIX_WHEEL_DIRECTION quirk", " - HID: Add hid-universal-pidff driver and supported device ids", " - [Config] enable new hid-universal-pidff driver module", " - HID: pidff: Add PERIODIC_SINE_ONLY quirk", " - HID: pidff: Fix null pointer dereference in pidff_find_fields", " - ASoC: amd: ps: use macro for ACP6.3 pci revision id", " - ASoC: amd: amd_sdw: Add quirks for Dell SKU's", " - ALSA: hda: intel: Fix Optimus when GPU has no sound", " - ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist", " - ASoC: fsl_audmix: register card device depends on 'dais' property", " - media: uvcvideo: Add quirk for Actions UVC05", " - HID: lenovo: Fix to ensure the data as __le32 instead of u32", " - media: s5p-mfc: Corrected NV12M/NV21M plane-sizes", " - mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves", " - ALSA: usb-audio: Fix CME quirk for UF series keyboards", " - ASoC: amd: Add DMI quirk for ACP6X mic support", " - ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315", " - ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3247", " - ASoC: amd: yc: update quirk data for new Lenovo model", " - platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig", " - wifi: ath9k: use unsigned long for activity check timestamp", " - wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues", " - wifi: ath11k: fix memory leak in ath11k_xxx_remove()", " - wifi: ath12k: fix memory leak in ath12k_pci_remove()", " - wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process", " - wifi: ath12k: Avoid memory leak while enabling statistics", " - ata: libata-core: Add 'external' to the libata.force kernel parameter", " - scsi: mpi3mr: Avoid reply queue full condition", " - scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue", " - net: page_pool: don't cast mp param to devmem", " - f2fs: don't retry IO for corrupted data scenario", " - wifi: mac80211: add strict mode disabling workarounds", " - wifi: mac80211: ensure sdata->work is canceled before initialized.", " - scsi: target: spc: Fix RSOC parameter data header size", " - net: usb: asix_devices: add FiberGecko DeviceID", " - page_pool: avoid infinite loop to schedule delayed worker", " - can: flexcan: Add quirk to handle separate interrupt lines for mailboxes", " - can: flexcan: add NXP S32G2/S32G3 SoC support", " - jfs: Fix uninit-value access of imap allocated in the diMount() function", " - fs/jfs: cast inactags to s64 to prevent potential overflow", " - fs/jfs: Prevent integer overflow in AG size calculation", " - jfs: Prevent copying of nlink with value 0 from disk inode", " - jfs: add sanity check for agwidth in dbMount", " - wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1", " - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode", " - net: sfp: add quirk for 2.5G OEM BX SFP", " - wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi", " - f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()", " - net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module", " - ahci: add PCI ID for Marvell 88SE9215 SATA Controller", " - ext4: protect ext4_release_dquot against freezing", " - Revert \"f2fs: rebuild nat_bits during umount\"", " - wifi: mac80211: fix userspace_selectors corruption", " - ext4: ignore xattrs past end", " - cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk", " - scsi: st: Fix array overflow in st_setup()", " - ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI", " - btrfs: harden block_group::bg_list against list_del() races", " - wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table", " - net: vlan: don't propagate flags on open", " - tracing: fix return value in __ftrace_event_enable_disable for", " TRACE_REG_UNREGISTER", " - Bluetooth: btusb: Add new VID/PID for WCN785x", " - Bluetooth: btintel_pcie: Add device id of Whale Peak", " - Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x", " - Bluetooth: hci_uart: fix race during initialization", " - Bluetooth: btusb: Add 2 HWIDs for MT7922", " - Bluetooth: hci_qca: use the power sequencer for wcn6750", " - Bluetooth: qca: simplify WCN399x NVM loading", " - Bluetooth: qca: add WCN3950 support", " - drm: allow encoder mode_set even when connectors change for crtc", " - drm/virtio: Set missing bo->attached flag", " - drm/rockchip: Don't change hdmi reference clock rate", " - drm/xe/ptl: Update the PTL pci id table", " - drm/xe/pf: Don't send BEGIN_ID if VF has no context/doorbells", " - drm/xe/vf: Don't try to trigger a full GT reset if VF", " - drm/amd/display: Update Cursor request mode to the beginning prefetch always", " - drm/amd/display: Guard Possible Null Pointer Dereference", " - drm/amd/display: add workaround flag to link to force FFE preset", " - drm/amdgpu: Unlocked unmap only clear page table leaves", " - drm: panel-orientation-quirks: Add support for AYANEO 2S", " - drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB", " - drm: panel-orientation-quirks: Add quirk for AYA NEO Slide", " - drm: panel-orientation-quirks: Add new quirk for GPD Win 2", " - drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel)", " - drm/debugfs: fix printk format for bridge index", " - drm/bridge: panel: forbid initializing a panel with unknown connector type", " - drm/amd/display: Update FIXED_VS Link Rate Toggle Workaround Usage", " - drm/amd/display: stop DML2 from removing pipes based on planes", " - drivers: base: devres: Allow to release group on device release", " - drm/amdkfd: clamp queue size to minimum", " - drm/amdkfd: Fix mode1 reset crash issue", " - drm/amdkfd: Fix pqm_destroy_queue race with GPU reset", " - drm/amdkfd: debugfs hang_hws skip GPU with MES", " - drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds", " - drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data", " - drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off", " - drm/rockchip: stop passing non struct drm_device to drm_err() and friends", " - PCI: Add Rockchip Vendor ID", " - drm/amdgpu: handle amdgpu_cgs_create_device() errors in", " amd_powerplay_create()", " - drm/amd/display: Prevent VStartup Overflow", " - PCI: Enable Configuration RRS SV early", " - drm/amdgpu: Fix the race condition for draining retry fault", " - PCI: Check BAR index for validity", " - PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type", " - drm/amdgpu: grab an additional reference on the gang fence v2", " - fbdev: omapfb: Add 'plane' value check", " - tracing: probe-events: Log error for exceeding the number of arguments", " - tracing: probe-events: Add comments about entry data storing code", " - ktest: Fix Test Failures Due to Missing LOG_FILE Directories", " - tpm, tpm_tis: Workaround failed command reception on Infineon devices", " - tpm: End any active auth session before shutdown", " - pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()", " - pwm: rcar: Improve register calculation", " - pwm: fsl-ftm: Handle clk_get_rate() returning 0", " - pwm: stm32: Search an appropriate duty_cycle if period cannot be modified", " - erofs: set error to bio if file-backed IO fails", " - bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags", " - ext4: don't treat fhandle lookup of ea_inode as FS corruption", " - s390/pci: Fix s390_mmio_read/write syscall page fault handling", " - HID: pidff: Clamp PERIODIC effect period to device's logical range", " - HID: pidff: Stop all effects before enabling actuators", " - HID: pidff: Completely rework and fix pidff_reset function", " - HID: pidff: Simplify pidff_upload_effect function", " - HID: pidff: Define values used in pidff_find_special_fields", " - HID: pidff: Rescale time values to match field units", " - HID: pidff: Factor out code for setting gain", " - HID: pidff: Move all hid-pidff definitions to a dedicated header", " - HID: pidff: Simplify pidff_rescale_signed", " - HID: pidff: Use macros instead of hardcoded min/max values for shorts", " - HID: pidff: Factor out pool report fetch and remove excess declaration", " - HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX", " - HID: hid-universal-pidff: Add Asetek wheelbases support", " - HID: pidff: Comment and code style update", " - HID: pidff: Support device error response from PID_BLOCK_LOAD", " - HID: pidff: Remove redundant call to pidff_find_special_keys", " - HID: pidff: Rename two functions to align them with naming convention", " - HID: pidff: Clamp effect playback LOOP_COUNT value", " - HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff", " - HID: pidff: Fix 90 degrees direction name North -> East", " - HID: pidff: Fix set_device_control()", " - auxdisplay: hd44780: Fix an API misuse in hd44780.c", " - dt-bindings: media: st,stmipid02: correct lane-polarities maxItems", " - media: mediatek: vcodec: Fix a resource leak related to the scp device in FW", " initialization", " - media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning", " - media: uapi: rkisp1-config: Fix typo in extensible params example", " - media: mgb4: Fix CMT registers update logic", " - media: i2c: adv748x: Fix test pattern selection mask", " - media: mgb4: Fix switched CMT frequency range \"magic values\" sets", " - media: intel/ipu6: set the dev_parent of video device to pdev", " - media: venus: hfi: add a check to handle OOB in sfr region", " - media: venus: hfi: add check to handle incorrect queue size", " - media: vim2m: print device name after registering device", " - media: siano: Fix error handling in smsdvb_module_init()", " - media: rockchip: rga: fix rga offset lookup", " - xenfs/xensyms: respect hypervisor's \"next\" indication", " - KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR},", " PMOVS{SET,CLR}", " - arm64: cputype: Add MIDR_CORTEX_A76AE", " - arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list", " - arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB", " - arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list", " - KVM: arm64: Tear down vGIC on failed vCPU creation", " - KVM: arm64: Set HCR_EL2.TID1 unconditionally", " - spi: cadence-qspi: Fix probe on AM62A LP SK", " - mtd: rawnand: brcmnand: fix PM resume warning", " - tpm, tpm_tis: Fix timeout handling when waiting for TPM status", " - accel/ivpu: Fix PM related deadlocks in MS IOCTLs", " - media: ov08x40: Properly turn sensor on/off when runtime-suspended", " - media: streamzap: prevent processing IR data on URB failure", " - media: hi556: Fix memory leak (on error) in hi556_check_hwcfg()", " - media: visl: Fix ERANGE error when setting enum controls", " - media: platform: stm32: Add check for clk_enable()", " - media: xilinx-tpg: fix double put in xtpg_parse_of()", " - media: imx219: Adjust PLL settings based on the number of MIPI lanes", " - media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()", " - Revert \"media: imx214: Fix the error handling in imx214_probe()\"", " - media: i2c: ccs: Set the device's runtime PM status correctly in remove", " - media: i2c: ccs: Set the device's runtime PM status correctly in probe", " - media: i2c: ov7251: Set enable GPIO low in probe", " - media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO", " - media: nuvoton: Fix reference handling of ece_node", " - media: nuvoton: Fix reference handling of ece_pdev", " - media: venus: hfi_parser: add check to avoid out of bound access", " - media: venus: hfi_parser: refactor hfi packet parsing logic", " - media: i2c: imx319: Rectify runtime PM handling probe and remove", " - media: i2c: imx219: Rectify runtime PM handling in probe and remove", " - media: i2c: imx214: Rectify probe error handling related to runtime PM", " - media: chips-media: wave5: Fix gray color on screen", " - media: chips-media: wave5: Avoid race condition in the interrupt handler", " - media: chips-media: wave5: Fix a hang after seeking", " - media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster", " - irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type()", " - mptcp: sockopt: fix getting IPV6_V6ONLY", " - mptcp: sockopt: fix getting freebind & transparent", " - block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone", " - mtd: Add check for devm_kcalloc()", " - net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family", " - net: dsa: mv88e6xxx: fix internal PHYs for 6320 family", " - mtd: Replace kcalloc() with devm_kcalloc()", " - clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup", " - Revert \"wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO\"", " - wifi: mt76: Add check for devm_kstrdup()", " - wifi: mt76: mt792x: re-register CHANCTX_STA_CSA only for the mt7921 series", " - wifi: mac80211: fix integer overflow in hwmp_route_info_get()", " - wifi: mt76: mt7925: ensure wow pattern command align fw format", " - wifi: mt76: mt7925: fix country count limitation for CLC", " - wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present", " - wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO", " - wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure", " - wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd", " - wifi: mt76: mt7925: update the power-saving flow", " - scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag", " - net: stmmac: Fix accessing freed irq affinity_hint", " - io_uring/net: fix accept multishot handling", " - io_uring/net: fix io_req_post_cqe abuse by send bundle", " - io_uring/kbuf: reject zero sized provided buffers", " - ASoC: codecs: wcd937x: fix a potential memory leak in", " wcd937x_soc_codec_probe()", " - ASoC: q6apm: add q6apm_get_hw_pointer helper", " - ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs", " - ASoC: q6apm-dai: make use of q6apm_get_hw_pointer", " - ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment.", " - ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns.", " - ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path", " - ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx", " - accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal()", " - accel/ivpu: Fix deadlock in ivpu_ms_cleanup()", " - arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()", " - arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()", " - bus: mhi: host: Fix race between unprepare and queue_buf", " - ext4: fix off-by-one error in do_split", " - f2fs: fix the missing write pointer correction", " - f2fs: fix to avoid atomicity corruption of atomic file", " - vdpa/mlx5: Fix oversized null mkey longer than 32bit", " - udf: Fix inode_getblk() return value", " - tpm: do not start chip while suspended", " - svcrdma: do not unregister device for listeners", " - soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()", " - smb311 client: fix missing tcon check when mounting with linux/posix", " extensions", " - ima: limit the number of open-writers integrity violations", " - ima: limit the number of ToMToU integrity violations", " - igc: Fix XSK queue NAPI ID mapping", " - i3c: master: svc: Use readsb helper for reading MDB", " - i3c: Add NULL pointer check in i3c_master_queue_ibi()", " - jbd2: remove wrong sb->s_sequence check", " - kbuild: exclude .rodata.(cst|str)* when building ranges", " - kbuild: Add '-fno-builtin-wcslen'", " - leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs", " - leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs", " - mfd: ene-kb3930: Fix a potential NULL pointer dereference", " - mailbox: tegra-hsp: Define dimensioning masks in SoC data", " - locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()", " - lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets", " - mptcp: fix NULL pointer in can_accept_new_subflow", " - mptcp: only inc MPJoinAckHMacFailure for HMAC failures", " - mtd: inftlcore: Add error check for inftl_read_oob()", " - mtd: rawnand: Add status chack in r852_ready()", " - mtd: spinand: Fix build with gcc < 7.5", " - arm64: mops: Do not dereference src reg for a set operation", " - arm64: tegra: Remove the Orin NX/Nano suspend key", " - arm64: mm: Correct the update of max_pfn", " - arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size", " - arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks", " - arm64: dts: mediatek: mt8188: Assign apll1 clock as parent to avoid hang", " - arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string", " - arm64: dts: exynos: gs101: disable pinctrl_gsacore node", " - backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()", " - btrfs: fix non-empty delayed iputs list on unmount due to compressed write", " workers", " - btrfs: tests: fix chunk map leak after failure to add it to the tree", " - btrfs: zoned: fix zone activation with missing devices", " - btrfs: zoned: fix zone finishing with missing devices", " - iommufd: Fix uninitialized rc in iommufd_access_rw()", " - iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent()", " - iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled", " - iommu/vt-d: Don't clobber posted vCPU IRTE when host IRQ affinity changes", " - iommu/vt-d: Fix possible circular locking dependency", " - iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs", " - sparc/mm: disable preemption in lazy mmu mode", " - sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes", " - net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.", " - mm/damon/ops: have damon_get_folio return folio even for tail pages", " - mm/damon: avoid applying DAMOS action to same entity multiple times", " - mm/rmap: reject hugetlb folios in folio_make_device_exclusive()", " - mm: make page_mapped_in_vma() hugetlb walk aware", " - mm: fix lazy mmu docs and usage", " - mm/mremap: correctly handle partial mremap() of VMA starting at 0", " - mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock", " - mm/userfaultfd: fix release hang over concurrent GUP", " - mm/hwpoison: do not send SIGBUS to processes with recovered clean pages", " - mm/hugetlb: move hugetlb_sysctl_init() to the __init section", " - mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper", " - sctp: detect and prevent references to a freed transport in sendmsg", " - x86/xen: fix balloon target initialization for PVH dom0", " - uprobes: Avoid false-positive lockdep splat on CONFIG_PREEMPT_RT=y in the", " ri_timer() uprobe timer callback, use raw_write_seqcount_*()", " - tracing: fprobe: Fix to lock module while registering fprobe", " - tracing: fprobe events: Fix possible UAF on modules", " - tracing: Do not add length to print format in synthetic events", " - thermal/drivers/rockchip: Add missing rk3328 mapping entry", " - CIFS: Propagate min offload along with other parameters from primary to", " secondary channels.", " - cifs: avoid NULL pointer dereference in dbg call", " - cifs: fix integer overflow in match_server()", " - cifs: Ensure that all non-client-specific reparse points are processed by", " the server", " - clk: renesas: r9a07g043: Fix HP clock source for RZ/Five", " - clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks", " - clk: qcom: gdsc: Release pm subdomains in reverse add order", " - clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code", " - clk: qcom: gdsc: Set retain_ff before moving to HW CTRL", " - crypto: ccp - Fix check for the primary ASP device", " - crypto: ccp - Fix uAPI definitions of PSP errors", " - dlm: fix error if inactive rsb is not hashed", " - dlm: fix error if active rsb is not hashed", " - dm-ebs: fix prefetch-vs-suspend race", " - dm-integrity: set ti->error on memory allocation failure", " - dm-integrity: fix non-constant-time tag verification", " - dm-verity: fix prefetch-vs-suspend race", " - dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg'", " - dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg'", " - firmware: cs_dsp: test_control_parse: null-terminate test strings", " - ftrace: Add cond_resched() to ftrace_graph_set_hash()", " - ftrace: Properly merge notrace hashes", " - fuse: {io-uring} Fix a possible req cancellation race", " - gpio: mpc8xxx: Fix wakeup source leaks on device unbind", " - gpio: tegra186: fix resource handling in ACPI probe path", " - gpio: zynq: Fix wakeup source leaks on device unbind", " - gve: handle overflow when reporting TX consumed descriptors", " - KVM: Allow building irqbypass.ko as as module when kvm.ko is a module", " - [Config] updateconfigs for HAVE_KVM_IRQ_BYPASS", " - KVM: x86: Explicitly zero-initialize on-stack CPUID unions", " - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses", " - landlock: Move code to ease future backports", " - landlock: Add the errata interface", " - landlock: Add erratum for TCP fix", " - landlock: Always allow signals between threads of the same process", " - landlock: Prepare to add second errata", " - selftests/landlock: Split signal_scoping_threads tests", " - selftests/landlock: Add a new test for setuid()", " - misc: pci_endpoint_test: Avoid issue of interrupts remaining after", " request_irq error", " - misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error", " - misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type", " - net: mana: Switch to page pool for jumbo frames", " - ntb: use 64-bit arithmetic for the MSI doorbell mask", " - of/irq: Fix device node refcount leakage in API of_irq_parse_one()", " - of/irq: Fix device node refcount leakage in API of_irq_parse_raw()", " - of/irq: Fix device node refcount leakages in of_irq_count()", " - of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()", " - of/irq: Fix device node refcount leakages in of_irq_init()", " - PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()", " - PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4", " - PCI: layerscape: Fix arg_count to syscon_regmap_lookup_by_phandle_args()", " - PCI: pciehp: Avoid unnecessary device replacement check", " - PCI: Fix reference leak in pci_alloc_child_bus()", " - PCI: Fix reference leak in pci_register_host_bridge()", " - PCI: Fix wrong length of devres array", " - phy: freescale: imx8m-pcie: assert phy reset and perst in power off", " - pinctrl: qcom: Clear latched interrupt status when changing IRQ type", " - pinctrl: samsung: add support for eint_fltcon_offset", " - ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio()", " - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs", " - s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues", " - s390: Fix linker error when -no-pie option is unavailable", " - sched_ext: create_dsq: Return -EEXIST on duplicate request", " - selftests: mptcp: close fd_in before returning in main_loop", " - selftests: mptcp: fix incorrect fd checks in main_loop", " - spi: fsl-qspi: use devm function instead of driver remove", " - spi: fsl-qspi: Fix double cleanup in probe error path", " - thermal/drivers/mediatek/lvts: Disable monitor mode during suspend", " - thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold", " - wifi: ath11k: update channel list in worker when wait flag is set", " - arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists", " - iommufd: Make attach_handle generic than fault specific", " - iommufd: Fail replace if device has not been attached", " - x86/e820: Fix handling of subpage regions when calculating nosave ranges in", " e820__register_nosave_regions()", " - Bluetooth: hci_uart: Fix another race during initialization", " - Linux 6.14.3", "", " * Plucky update: v6.14.3 upstream stable release (LP: #2108854) //", " CVE-2025-37838", " - HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver", " Due to Race Condition", "", " * Introduce configfs-based interface for gpio-aggregator (LP: #2103496)", " - SAUCE: gpio: aggregator: fix \"_sysfs\" prefix check in", " gpio_aggregator_make_group()", " - SAUCE: gpio: aggregator: Fix gpio_aggregator_line_alloc() checking", " - SAUCE: gpio: aggregator: Return an error if there are no GPIOs in", " gpio_aggregator_parse()", " - SAUCE: gpio: aggregator: Fix error code in gpio_aggregator_activate()", " - SAUCE: gpio: aggregator: Fix leak in gpio_aggregator_parse()", " - SAUCE: selftests: gpio: gpio-aggregator: add a test case for _sysfs prefix", " reservation", "", " * [SRU] Fix screen flickering in inverted display mode (LP: #2103617)", " - drm/xe/display: Fix fbdev GGTT mapping handling.", "", " * System could not hit hardware sleep state with specific panel with AMD", " KRK/STX under DC mode (LP: #2103480)", " - drm/amd/display: Add and use new dm_prepare_suspend() callback", "", " * WARNING: CPU: 18 PID: 3683 at arch/powerpc/kvm/../../../virt/kvm/vfio.c Call", " Traces seen when pci device is detached from the kvm guest (LP: #2104893)", " - KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests", "", " * [SRU] Enable speaker/mic mute LEDs on Lenovo ideapad and thinkbook", " (LP: #2106449)", " - platform/x86:lenovo-wmi-hotkey-utilities.c: Support for mic and audio mute", " LEDs", " - [Config] Enable Lenovo wmi hotkey driver", "", " * OLED panel screen backlight brightness does not change with brightness", " hotkey(F6&F7 Key) (LP: #2097818)", " - drm/dp: Add eDP 1.5 bit definition", " - drm/dp: Increase eDP display control capability size", " - drm/i915/backlight: Use proper interface based on eDP version", " - drm/i915/backlight: Check Luminance based brightness control for VESA", " - drm/i915/backlight: Modify function to get VESA brightness in Nits", " - drm/i915/backlight: Add function to change brightness in nits for VESA", " - drm/i915/backlight: Setup nits based luminance via VESA", " - drm/i915/backlight: Enable nits based luminance", "", " * Plucky update: v6.14.2 upstream stable release (LP: #2107212)", " - fs: support O_PATH fds with FSCONFIG_SET_FD", " - watch_queue: fix pipe accounting mismatch", " - x86/mm/pat: cpa-test: fix length for CPA_ARRAY test", " - m68k: sun3: Use str_read_write() helper in mmu_emu_handle_fault()", " - m68k: sun3: Fix DEBUG_MMU_EMU build", " - cpufreq: scpi: compare kHz instead of Hz", " - seccomp: fix the __secure_computing() stub for !HAVE_ARCH_SECCOMP_FILTER", " - smack: dont compile ipv6 code unless ipv6 is configured", " - smack: ipv4/ipv6: tcp/dccp/sctp: fix incorrect child socket label", " - sched: Cancel the slice protection of the idle entity", " - sched/eevdf: Force propagating min_slice of cfs_rq when {en,de}queue tasks", " - cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()", " - EDAC/igen6: Fix the flood of invalid error reports", " - EDAC/{skx_common,i10nm}: Fix some missing error reports on Emerald Rapids", " - x86/vdso: Fix latent bug in vclock_pages calculation", " - x86/fpu: Fix guest FPU state buffer allocation size", " - cpufreq/amd-pstate: Modify the min_perf calculation in adjust_perf callback", " - cpufreq/amd-pstate: Pass min/max_limit_perf as min/max_perf to", " amd_pstate_update", " - cpufreq/amd-pstate: Convert all perf values to u8", " - cpufreq/amd-pstate: Add missing NULL ptr check in amd_pstate_update", " - x86/fpu: Avoid copying dynamic FP state from init_task in", " arch_dup_task_struct()", " - rseq: Update kernel fields in lockstep with CONFIG_DEBUG_RSEQ=y", " - x86/platform: Only allow CONFIG_EISA for 32-bit", " - [Config] updateconfigs for HAVE_EISA", " - x86/sev: Add missing RIP_REL_REF() invocations during sme_enable()", " - lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock", " - PM: sleep: Adjust check before setting power.must_resume", " - cpufreq: tegra194: Allow building for Tegra234", " - RISC-V: KVM: Disable the kernel perf counter during configure", " - kunit/stackinit: Use fill byte different from Clang i386 pattern", " - watchdog/hardlockup/perf: Fix perf_event memory leak", " - x86/split_lock: Fix the delayed detection logic", " - selinux: Chain up tool resolving errors in install_policy.sh", " - EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer", " - EDAC/ie31200: Fix the DIMM size mask for several SoCs", " - EDAC/ie31200: Fix the error path order of ie31200_init()", " - dma: Fix encryption bit clearing for dma_to_phys", " - dma: Introduce generic dma_addr_*crypted helpers", " - arm64: realm: Use aliased addresses for device DMA to shared buffers", " - x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors", " - cpuidle: Init cpuidle only for present CPUs", " - thermal: int340x: Add NULL check for adev", " - PM: sleep: Fix handling devices with direct_complete set on errors", " - lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()", " - cpufreq: Init cpufreq only for present CPUs", " - perf/ring_buffer: Allow the EPOLLRDNORM flag for poll", " - perf: Save PMU specific data in task_struct", " - perf: Supply task information to sched_task()", " - perf/x86/lbr: Fix shorter LBRs call stacks for the system-wide mode", " - sched/deadline: Ignore special tasks when rebuilding domains", " - sched/topology: Wrappers for sched_domains_mutex", " - sched/deadline: Generalize unique visiting of root domains", " - sched/deadline: Rebuild root domain accounting after every update", " - x86/traps: Make exc_double_fault() consistently noreturn", " - x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures", " - x86/entry: Add __init to ia32_emulation_override_cmdline()", " - RISC-V: KVM: Teardown riscv specific bits after kvm_exit", " - regulator: pca9450: Fix enable register for LDO5", " - auxdisplay: MAX6959 should select BITREVERSE", " - media: verisilicon: HEVC: Initialize start_bit field", " - media: platform: allgro-dvt: unregister v4l2_device on the error path", " - auxdisplay: panel: Fix an API misuse in panel.c", " - platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: Make symbol static", " - platform/x86: dell-uart-backlight: Make dell_uart_bl_serdev_driver static", " - platform/x86: dell-ddv: Fix temperature calculation", " - ASoC: cs35l41: check the return value from spi_setup()", " - ASoC: amd: acp: Fix for enabling DMIC on acp platforms via _DSD entry", " - HID: remove superfluous (and wrong) Makefile entry for", " CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER", " - ASoC: simple-card-utils: Don't use __free(device_node) at", " graph_util_parse_dai()", " - dt-bindings: vendor-prefixes: add GOcontroll", " - ALSA: hda/realtek: Always honor no_shutup_pins", " - ASoC: tegra: Use non-atomic timeout for ADX status register", " - ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio", " compatible", " - ALSA: usb-audio: separate DJM-A9 cap lvl options", " - ALSA: timer: Don't take register_mutex with copy_from/to_user()", " - ALSA: hda/realtek: Fix built-in mic assignment on ASUS VivoBook X515UA", " - wifi: rtw89: Correct immediate cfg_len calculation for scan_offload_be", " - wifi: ath12k: fix skb_ext_desc leak in ath12k_dp_tx() error path", " - wifi: ath12k: encode max Tx power in scan channel list command", " - wifi: ath12k: Fix pdev lookup in WBM error processing", " - wifi: ath9k: do not submit zero bytes to the entropy pool", " - wifi: ath11k: fix wrong overriding for VHT Beamformee STS Capability", " - arm64: dts: mediatek: mt8173-elm: Drop pmic's #address-cells and #size-cells", " - arm64: dts: mediatek: mt8173: Fix some node names", " - wifi: ath11k: update channel list in reg notifier instead reg worker", " - ARM: dts: omap4-panda-a4: Add missing model and compatible properties", " - f2fs: quota: fix to avoid warning in dquot_writeback_dquots()", " - dlm: prevent NPD when writing a positive value to event_done", " - wifi: ath11k: fix RCU stall while reaping monitor destination ring", " - wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode", " - wifi: ath12k: Fix locking in \"QMI firmware ready\" error paths", " - f2fs: fix to avoid panic once fallocation fails for pinfile", " - scsi: mpt3sas: Reduce log level of ignore_delay_remove message to KERN_INFO", " - md: ensure resync is prioritized over recovery", " - md/raid1: fix memory leak in raid1_run() if no active rdev", " - coredump: Fixes core_pipe_limit sysctl proc_handler", " - io_uring/io-wq: eliminate redundant io_work_get_acct() calls", " - io_uring/io-wq: cache work->flags in variable", " - io_uring/io-wq: do not use bogus hash value", " - io_uring: check for iowq alloc_workqueue failure", " - io_uring/net: improve recv bundles", " - firmware: arm_ffa: Refactor addition of partition information into XArray", " - firmware: arm_ffa: Unregister the FF-A devices when cleaning up the", " partitions", " - arm64: dts: mediatek: mt6359: fix dtbs_check error for audio-codec", " - scsi: mpi3mr: Fix locking in an error path", " - scsi: mpt3sas: Fix a locking bug in an error path", " - can: rockchip_canfd: rkcanfd_chip_fifo_setup(): remove duplicated setup of", " RX FIFO", " - jfs: reject on-disk inodes of an unsupported type", " - jfs: add check read-only before txBeginAnon() call", " - jfs: add check read-only before truncation in jfs_truncate_nolock()", " - wifi: ath12k: Add missing htt_metadata flag in ath12k_dp_tx()", " - wifi: rtw89: rtw8852b{t}: fix TSSI debug timestamps", " - xfrm: delay initialization of offload path till its actually requested", " - iommu/io-pgtable-dart: Only set subpage protection disable for DART 1", " - firmware: arm_ffa: Explicitly cast return value from FFA_VERSION before", " comparison", " - firmware: arm_ffa: Explicitly cast return value from NOTIFICATION_INFO_GET", " - arm64: dts: renesas: r8a774c0: Re-add voltages to OPP table", " - arm64: dts: renesas: r8a77990: Re-add voltages to OPP table", " - firmware: arm_ffa: Skip the first/partition ID when parsing vCPU list", " - arm64: dts: ti: k3-j722s-evm: Fix USB2.0_MUX_SEL to select Type-C", " - wifi: ath12k: use link specific bss_conf as well in", " ath12k_mac_vif_cache_flush()", " - arm64: dts: imx8mp-skov: correct PMIC board limits", " - arm64: dts: imx8mp-skov: operate CPU at 850 mV by default", " - arm64: dts: mediatek: mt8390-genio-700-evk: Move common parts to dtsi", " - arm64: dts: mediatek: mt8390-genio-common: Fix duplicated regulator name", " - wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in", " error path", " - wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in", " error path", " - f2fs: fix to set .discard_granularity correctly", " - f2fs: add check for deleted inode", " - arm64: dts: ti: k3-am62-verdin-dahlia: add Microphone Jack to sound card", " - f2fs: fix potential deadloop in prepare_compress_overwrite()", " - f2fs: fix to call f2fs_recover_quota_end() correctly", " - md: fix mddev uaf while iterating all_mddevs list", " - md/raid1,raid10: don't ignore IO flags", " - md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb", " - tracing: Fix DECLARE_TRACE_CONDITION", " - tools/rv: Keep user LDFLAGS in build", " - arm64: dts: ti: k3-am62p: Enable AUDIO_REFCLKx", " - arm64: dts: ti: k3-am62p: fix pinctrl settings", " - arm64: dts: ti: k3-j722s: fix pinctrl settings", " - wifi: rtw89: fw: correct debug message format in", " rtw89_build_txpwr_trk_tbl_from_elm()", " - wifi: rtw89: pci: correct ISR RDU bit for 8922AE", " - blk-throttle: fix lower bps rate by throtl_trim_slice()", " - soc: mediatek: mtk-mmsys: Fix MT8188 VDO1 DPI1 output selection", " - soc: mediatek: mt8167-mmsys: Fix missing regval in all entries", " - soc: mediatek: mt8365-mmsys: Fix routing table masks and values", " - md/raid10: wait barrier before returning discard request with REQ_NOWAIT", " - block: ensure correct integrity capability propagation in stacked devices", " - block: Correctly initialize BLK_INTEGRITY_NOGENERATE and", " BLK_INTEGRITY_NOVERIFY", " - badblocks: Fix error shitf ops", " - badblocks: factor out a helper try_adjacent_combine", " - badblocks: attempt to merge adjacent badblocks during ack_all_badblocks", " - badblocks: return error directly when setting badblocks exceeds 512", " - badblocks: return error if any badblock set fails", " - badblocks: fix the using of MAX_BADBLOCKS", " - badblocks: fix merge issue when new badblocks align with pre+1", " - badblocks: fix missing bad blocks on retry in _badblocks_check()", " - badblocks: return boolean from badblocks_set() and badblocks_clear()", " - badblocks: use sector_t instead of int to avoid truncation of badblocks", " length", " - firmware: arm_scmi: use ioread64() instead of ioread64_hi_lo()", " - net: airoha: Fix lan4 support in airoha_qdma_get_gdm_port()", " - iommu/amd: Fix header file", " - iommu/vt-d: Fix system hang on reboot -f", " - memory: mtk-smi: Add ostd setting for mt8192", " - gfs2: minor evict fix", " - gfs2: skip if we cannot defer delete", " - ARM: dts: imx6ul-tqma6ul1: Change include order to disable fec2 node", " - arm64: dts: imx8mp: add AUDIO_AXI_CLK_ROOT to AUDIOMIX block", " - arm64: dts: imx8mp: change AUDIO_AXI_CLK_ROOT freq. to 800MHz", " - f2fs: fix to avoid accessing uninitialized curseg", " - iommu: Handle race with default domain setup", " - wifi: mac80211: remove SSID from ML reconf", " - f2fs: fix to avoid running out of free segments", " - block: fix adding folio to bio", " - ext4: fix potential null dereference in ext4 kunit test", " - ext4: convert EXT4_FLAGS_* defines to enum", " - ext4: add EXT4_FLAGS_EMERGENCY_RO bit", " - ext4: correct behavior under errors=remount-ro mode", " - ext4: show 'emergency_ro' when EXT4_FLAGS_EMERGENCY_RO is set", " - arm64: dts: rockchip: Move rk356x scmi SHMEM to reserved memory", " - arm64: dts: rockchip: Remove bluetooth node from rock-3a", " - bus: qcom-ssc-block-bus: Remove some duplicated iounmap() calls", " - bus: qcom-ssc-block-bus: Fix the error handling path of", " qcom_ssc_block_bus_probe()", " - arm64: dts: rockchip: Fix pcie reset gpio on Orange Pi 5 Max", " - arm64: dts: rockchip: Fix PWM pinctrl names", " - arm64: dts: rockchip: remove ethm0_clk0_25m_out from Sige5 gmac0", " - erofs: allow 16-byte volume name again", " - ext4: add missing brelse() for bh2 in ext4_dx_add_entry()", " - ext4: verify fast symlink length", " - f2fs: fix missing discard for active segments", " - scsi: hisi_sas: Fixed failure to issue vendor specific commands", " - scsi: target: tcm_loop: Fix wrong abort tag", " - ext4: introduce ITAIL helper", " - ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()", " - ext4: goto right label 'out_mmap_sem' in ext4_setattr()", " - jbd2: fix off-by-one while erasing journal", " - ata: libata: Fix NCQ Non-Data log not supported print", " - wifi: nl80211: store chandef on the correct link when starting CAC", " - wifi: mac80211: check basic rates validity in sta_link_apply_parameters", " - wifi: cfg80211: init wiphy_work before allocating rfkill fails", " - wifi: mwifiex: Fix premature release of RF calibration data.", " - wifi: mwifiex: Fix RF calibration data download from file", " - ice: health.c: fix compilation on gcc 7.5", " - ice: ensure periodic output start time is in the future", " - ice: fix reservation of resources for RDMA when disabled", " - virtchnl: make proto and filter action count unsigned", " - ice: stop truncating queue ids when checking", " - ice: validate queue quanta parameters to prevent OOB access", " - ice: fix input validation for virtchnl BW", " - ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()", " - idpf: check error for register_netdev() on init", " - btrfs: get used bytes while holding lock at btrfs_reclaim_bgs_work()", " - btrfs: fix reclaimed bytes accounting after automatic block group reclaim", " - btrfs: fix block group refcount race in btrfs_create_pending_block_groups()", " - btrfs: don't clobber ret in btrfs_validate_super()", " - wifi: mt76: mt7915: fix possible integer overflows in", " mt7915_muru_stats_show()", " - igb: reject invalid external timestamp requests for 82580-based HW", " - renesas: reject PTP_STRICT_FLAGS as unsupported", " - net: lan743x: reject unsupported external timestamp requests", " - broadcom: fix supported flag check in periodic output function", " - ptp: ocp: reject unsupported periodic output flags", " - nvmet: pci-epf: Always configure BAR0 as 64-bit", " - jbd2: add a missing data flush during file and fs synchronization", " - ext4: define ext4_journal_destroy wrapper", " - ext4: avoid journaling sb update on error if journal is destroying", " - eth: bnxt: fix out-of-range access of vnic_info array", " - net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.", " - netfilter: nfnetlink_queue: Initialize ctx to avoid memory allocation error", " - netfilter: nf_tables: Only use nf_skip_indirect_calls() when", " MITIGATION_RETPOLINE", " - ax25: Remove broken autobind", " - net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context", " - bnxt_en: Mask the bd_cnt field in the TX BD properly", " - bnxt_en: Linearize TX SKB if the fragments exceed the max", " - net: dsa: mv88e6xxx: fix atu_move_port_mask for 6341 family", " - net: dsa: mv88e6xxx: enable PVT for 6321 switch", " - net: dsa: mv88e6xxx: enable .port_set_policy() for 6320 family", " - net: dsa: mv88e6xxx: fix VTU methods for 6320 family", " - net: dsa: mv88e6xxx: enable STU methods for 6320 family", " - mlxsw: spectrum_acl_bloom_filter: Workaround for some LLVM versions", " - net: dsa: sja1105: fix displaced ethtool statistics counters", " - net: dsa: sja1105: reject other RX filters than", " HWTSTAMP_FILTER_PTP_V2_L2_EVENT", " - net: dsa: sja1105: fix kasan out-of-bounds warning in", " sja1105_table_delete_entry()", " - net/mlx5: LAG, reload representors on LAG creation failure", " - net/mlx5: Start health poll after enable hca", " - vmxnet3: unregister xdp rxq info in the reset path", " - bonding: check xdp prog when set bond mode", " - ibmvnic: Use kernel helpers for hex dumps", " - net: fix NULL pointer dereference in l3mdev_l3_rcv", " - virtio_net: Fix endian with virtio_net_ctrl_rss", " - Bluetooth: Add quirk for broken READ_VOICE_SETTING", " - Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE", " - Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth", " controllers", " - Bluetooth: hci_core: Enable buffer flow control for SCO/eSCO", " - Bluetooth: HCI: Add definition of hci_rp_remote_name_req_cancel", " - rwonce: handle KCSAN like KASAN in read_word_at_a_time()", " - net: dsa: microchip: fix DCB apptrust configuration on KSZ88x3", " - Bluetooth: btnxpuart: Fix kernel panic during FW release", " - Bluetooth: hci_event: Fix handling of HCI_EV_LE_DIRECT_ADV_REPORT", " - net: Fix the devmem sock opts and msgs for parisc", " - net: libwx: fix Tx descriptor content for some tunnel packets", " - net: libwx: fix Tx L4 checksum", " - rwonce: fix crash by removing READ_ONCE() for unaligned read", " - drm/bridge: ti-sn65dsi86: Fix multiple instances", " - drm/ssd130x: Set SPI .id_table to prevent an SPI core warning", " - accel/amdxdna: Return error when setting clock failed for npu1", " - drm/panthor: Fix a race between the reset and suspend path", " - drm/ssd130x: fix ssd132x encoding", " - drm/ssd130x: ensure ssd132x pitch is correct", " - drm/dp_mst: Fix drm RAD print", " - drm/bridge: it6505: fix HDCP V match check is not performed correctly", " - drm/panthor: Fix race condition when gathering fdinfo group samples", " - drm: xlnx: zynqmp: Fix max dma segment size", " - drm: xlnx: zynqmp_dpsub: Add NULL check in zynqmp_audio_init", " - drm: zynqmp_dp: Fix a deadlock in zynqmp_dp_ignore_hpd_set()", " - drm/vkms: Fix use after free and double free on init error", " - gpu: cdns-mhdp8546: fix call balance of mhdp->clk handling routines", " - drm/amdgpu: refine smu send msg debug log format", " - drm/amdgpu/umsch: remove vpe test from umsch", " - drm/amdgpu/umsch: declare umsch firmware", " - drm/amdgpu/umsch: fix ucode check", " - drm/amdgpu/vcn5.0.1: use correct dpm helper", " - PCI: Use downstream bridges for distributing resources", " - PCI: Remove add_align overwrite unrelated to size0", " - PCI: Simplify size1 assignment logic", " - PCI: Allow relaxed bridge window tail sizing for optional resources", " - drm/mediatek: mtk_hdmi: Unregister audio platform device on failure", " - drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member", " - drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid", " Priority Inversion in SRIOV", " - PCI/ASPM: Fix link state exit during switch upstream function removal", " - drm/panel: ilitek-ili9882t: fix GPIO name in error message", " - PCI/ACS: Fix 'pci=config_acs=' parameter", " - drm/amd/display: fix an indent issue in DML21", " - drm/msm/dpu: don't use active in atomic_check()", " - drm/msm/dsi/phy: Program clock inverters in correct register", " - drm/msm/dsi: Use existing per-interface slice count in DSC timing", " - drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host", " - drm/msm/dpu: Fall back to a single DSC encoder (1:1:1) on small SoCs", " - drm/msm/dpu: Remove arbitrary limit of 1 interface in DSC topology", " - drm/msm/gem: Fix error code msm_parse_deps()", " - drm/amdkfd: Fix Circular Locking Dependency in", " 'svm_range_cpu_invalidate_pagetables'", " - PCI: mediatek-gen3: Configure PBUS_CSR registers for EN7581 SoC", " - PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data", " payload", " - PCI: brcmstb: Set generation limit before PCIe link up", " - PCI: brcmstb: Use internal register to change link capability", " - PCI: brcmstb: Fix error path after a call to regulator_bulk_get()", " - PCI: brcmstb: Fix potential premature regulator disabling", " - selftests/pcie_bwctrl: Add 'set_pcie_speed.sh' to TEST_PROGS", " - PCI/portdrv: Only disable pciehp interrupts early when needed", " - PCI: Avoid reset when disabled via sysfs", " - drm/msm/dpu: move needs_cdm setting to dpu_encoder_get_topology()", " - drm/msm/dpu: simplify dpu_encoder_get_topology() interface", " - drm/msm/dpu: don't set crtc_state->mode_changed from atomic_check()", " - drm/panthor: Update CS_STATUS_ defines to correct values", " - drm/file: Add fdinfo helper for printing regions with prefix", " - drm/panthor: Expose size of driver internal BO's over fdinfo", " - drm/panthor: Replace sleep locks with spinlocks in fdinfo path", " - drm/panthor: Avoid sleep locking in the internal BO size path", " - drm/panthor: Clean up FW version information display", " - drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()", " - drm/msm/a6xx: Fix a6xx indexed-regs in devcoreduump", " - powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu'", " - misc: pci_endpoint_test: Fix pci_endpoint_test_bars_read_bar() error", " handling", " - misc: pci_endpoint_test: Handle BAR sizes larger than INT_MAX", " - PCI: endpoint: pci-epf-test: Handle endianness properly", " - crypto: powerpc: Mark ghashp8-ppc.o as an OBJECT_FILES_NON_STANDARD", " - powerpc/kexec: fix physical address calculation in clear_utlb_entry()", " - PCI: Remove stray put_device() in pci_register_host_bridge()", " - PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe", " - drm/mediatek: Fix config_updating flag never false when no mbox channel", " - drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr", " - drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()", " - drm/amd/display: avoid NPD when ASIC does not support DMUB", " - PCI: dwc: ep: Return -ENOMEM for allocation failures", " - PCI: histb: Fix an error handling path in histb_pcie_probe()", " - PCI: Fix BAR resizing when VF BARs are assigned", " - drm/amdgpu/mes: optimize compute loop handling", " - drm/amdgpu/mes: enable compute pipes across all MEC", " - PCI: pciehp: Don't enable HPIE when resuming in poll mode", " - PCI/bwctrl: Fix pcie_bwctrl_select_speed() return type", " - io_uring/net: only import send_zc buffer once", " - PCI: Fix NULL dereference in SR-IOV VF creation error path", " - io_uring: use lockless_cq flag in io_req_complete_post()", " - io_uring: fix retry handling off iowq", " - fbdev: au1100fb: Move a variable assignment behind a null pointer check", " - dummycon: fix default rows/cols", " - mdacon: rework dependency list", " - fbdev: sm501fb: Add some geometry checks.", " - crypto: iaa - Test the correct request flag", " - crypto: qat - set parity error mask for qat_420xx", " - crypto: tegra - Use separate buffer for setkey", " - crypto: tegra - Do not use fixed size buffers", " - crypto: tegra - check return value for hash do_one_req", " - crypto: tegra - Transfer HASH init function to crypto engine", " - crypto: tegra - Fix HASH intermediate result handling", " - crypto: bpf - Add MODULE_DESCRIPTION for skcipher", " - crypto: tegra - Use HMAC fallback when keyslots are full", " - clk: amlogic: gxbb: drop incorrect flag on 32k clock", " - crypto: hisilicon/sec2 - fix for aead authsize alignment", " - crypto: hisilicon/sec2 - fix for sec spec check", " - RDMA/mlx5: Fix page_size variable overflow", " - remoteproc: core: Clear table_sz when rproc_shutdown", " - of: property: Increase NR_FWNODE_REFERENCE_ARGS", " - pinctrl: renesas: rzg2l: Suppress binding attributes", " - remoteproc: qcom_q6v5_pas: Make single-PD handling more robust", " - libbpf: Fix hypothetical STT_SECTION extern NULL deref case", " - drivers: clk: qcom: ipq5424: fix the freq table of sdcc1_apps clock", " - selftests/bpf: Fix string read in strncmp benchmark", " - x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()", " - clk: renesas: r8a08g045: Check the source of the CPU PLL settings", " - remoteproc: qcom: pas: add minidump_id to SC7280 WPSS", " - clk: samsung: Fix UBSAN panic in samsung_clk_init()", " - pinctrl: nuvoton: npcm8xx: Fix error handling in npcm8xx_gpio_fw()", " - crypto: tegra - Fix CMAC intermediate result handling", " - clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock", " - selftests/bpf: Fix runqslower cross-endian build", " - s390: Remove ioremap_wt() and pgprot_writethrough()", " - RDMA/mana_ib: Ensure variable err is initialized", " - crypto: tegra - Set IV to NULL explicitly for AES ECB", " - remoteproc: qcom_q6v5_pas: Use resource with CX PD for MSM8226", " - crypto: tegra - finalize crypto req on error", " - crypto: tegra - Reserve keyslots to allocate dynamically", " - bpf: Use preempt_count() directly in bpf_send_signal_common()", " - lib: 842: Improve error handling in sw842_compress()", " - pinctrl: renesas: rza2: Fix missing of_node_put() call", " - pinctrl: renesas: rzg2l: Fix missing of_node_put() call", " - RDMA/mlx5: Fix MR cache initialization error flow", " - selftests/bpf: Fix freplace_link segfault in tailcalls prog test", " - clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent", " - RDMA/core: Don't expose hw_counters outside of init net namespace", " - RDMA/mlx5: Fix calculation of total invalidated pages", " - RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()", " - remoteproc: qcom_q6v5_mss: Handle platforms with one power domain", " - power: supply: bq27xxx_battery: do not update cached flags prematurely", " - leds: st1202: Check for error code from devm_mutex_init() call", " - crypto: api - Fix larval relookup type and mask", " - IB/mad: Check available slots before posting receive WRs", " - pinctrl: tegra: Set SFIO mode to Mux Register", " - clk: amlogic: g12b: fix cluster A parent data", " - clk: amlogic: gxbb: drop non existing 32k clock parent", " - selftests/bpf: Select NUMA_NO_NODE to create map", " - rust: fix signature of rust_fmt_argument", " - crypto: tegra - Fix format specifier in tegra_sha_prep_cmd()", " - libbpf: Add namespace for errstr making it libbpf_errstr", " - clk: mmp: Fix NULL vs IS_ERR() check", " - pinctrl: npcm8xx: Fix incorrect struct npcm8xx_pincfg assignment", " - samples/bpf: Fix broken vmlinux path for VMLINUX_BTF", " - crypto: qat - remove access to parity register for QAT GEN4", " - clk: clk-imx8mp-audiomix: fix dsp/ocram_a clock parents", " - clk: amlogic: g12a: fix mmc A peripheral clock", " - pinctrl: bcm2835: don't -EINVAL on alternate funcs from get_direction()", " - x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1", " - power: supply: max77693: Fix wrong conversion of charge input threshold", " value", " - crypto: api - Call crypto_alg_put in crypto_unregister_alg", " - clk: stm32f4: fix an uninitialized variable", " - crypto: nx - Fix uninitialised hv_nxc on error", " - clk: qcom: gcc-sm8650: Do not turn off USB GDSCs during gdsc_disable()", " - bpf: Fix array bounds error with may_goto", " - RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow", " - pinctrl: renesas: rzv2m: Fix missing of_node_put() call", " - clk: qcom: ipq5424: fix software and hardware flow control error of UART", " - mfd: sm501: Switch to BIT() to mitigate integer overflows", " - leds: Fix LED_OFF brightness race", " - x86/dumpstack: Fix inaccurate unwinding from exception stacks due to", " misplaced assignment", " - RDMA/core: Fix use-after-free when rename device name", " - crypto: hisilicon/sec2 - fix for aead auth key length", " - pinctrl: intel: Fix wrong bypass assignment in intel_pinctrl_probe_pwm()", " - clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock", " - libbpf: Fix accessing BTF.ext core_relo header", " - perf stat: Fix find_stat for mixed legacy/non-legacy events", " - perf: Always feature test reallocarray", " - w1: fix NULL pointer dereference in probe", " - staging: gpib: Add missing interface entry point", " - staging: gpib: Fix pr_err format warning", " - usb: typec: thunderbolt: Fix loops that iterate TYPEC_PLUG_SOP_P and", " TYPEC_PLUG_SOP_PP", " - usb: typec: thunderbolt: Remove IS_ERR check for plug", " - iio: dac: adi-axi-dac: modify stream enable", " - perf test: Fix Hwmon PMU test endianess issue", " - perf stat: Don't merge counters purely on name", " - fs/ntfs3: Factor out ntfs_{create/remove}_procdir()", " - fs/ntfs3: Factor out ntfs_{create/remove}_proc_root()", " - fs/ntfs3: Fix 'proc_info_root' leak when init ntfs failed", " - fs/ntfs3: Update inode->i_mapping->a_ops on compression state", " - iio: light: veml6030: extend regmap to support regfields", " - iio: gts-helper: export iio_gts_get_total_gain()", " - iio: light: veml6030: fix scale to conform to ABI", " - iio: adc: ad7124: Micro-optimize channel disabling", " - iio: adc: ad7124: Really disable all channels at probe time", " - phy: phy-rockchip-samsung-hdptx: Don't use dt aliases to determine phy-id", " - perf tools: Add skip check in tool_pmu__event_to_str()", " - isofs: fix KMSAN uninit-value bug in do_isofs_readdir()", " - perf tests: Fix Tool PMU test segfault", " - soundwire: slave: fix an OF node reference leak in soundwire slave device", " - staging: gpib: Fix cb7210 pcmcia Oops", " - perf report: Switch data file correctly in TUI", " - perf report: Fix input reload/switch with symbol sort key", " - greybus: gb-beagleplay: Add error handling for gb_greybus_init", " - coresight: catu: Fix number of pages while using 64k pages", " - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint", " - coresight-etm4x: add isb() before reading the TRCSTATR", " - perf pmus: Restructure pmu_read_sysfs to scan fewer PMUs", " - perf pmu: Dynamically allocate tool PMU", " - perf pmu: Don't double count common sysfs and json events", " - tools/x86: Fix linux/unaligned.h include path in lib/insn.c", " - perf build: Fix in-tree build due to symbolic link", " - ucsi_ccg: Don't show failed to get FW build information error", " - iio: accel: mma8452: Ensure error return on failure to matching oversampling", " ratio", " - iio: accel: msa311: Fix failure to release runtime pm if direct mode claim", " fails.", " - iio: backend: make sure to NULL terminate stack buffer", " - iio: core: Rework claim and release of direct mode to work with sparse.", " - iio: adc: ad7173: Grab direct mode for calibration", " - iio: adc: ad7192: Grab direct mode for calibration", " - perf arm-spe: Fix load-store operation checking", " - perf bench: Fix perf bench syscall loop count", " - perf machine: Fixup kernel maps ends after adding extra maps", " - usb: xhci: correct debug message page size calculation", " - fs/ntfs3: Fix a couple integer overflows on 32bit systems", " - fs/ntfs3: Prevent integer overflow in hdr_first_de()", " - perf test: Add timeout to datasym workload", " - perf tests: Fix data symbol test with LTO builds", " - NFSD: Fix callback decoder status codes", " - soundwire: take in count the bandwidth of a prepared stream", " - dmaengine: fsl-edma: cleanup chan after dma_async_device_unregister", " - dmaengine: fsl-edma: free irq correctly in remove path", " - dmaengine: ae4dma: Use the MSI count and its corresponding IRQ number", " - dmaengine: ptdma: Utilize the AE4DMA engine's multi-queue functionality", " - iio: adc: ad_sigma_delta: Disable channel after calibration", " - iio: adc: ad4130: Fix comparison of channel setups", " - iio: adc: ad7124: Fix comparison of channel configs", " - iio: adc: ad7173: Fix comparison of channel configs", " - iio: adc: ad7768-1: set MOSI idle state to prevent accidental reset", " - iio: light: Add check for array bounds in veml6075_read_int_time_ms", " - perf debug: Avoid stack overflow in recursive error message", " - perf evlist: Add success path to evlist__create_syswide_maps", " - perf evsel: tp_format accessing improvements", " - perf x86/topdown: Fix topdown leader sampling test error on hybrid", " - perf units: Fix insufficient array space", " - perf test stat_all_pmu.sh: Correctly check 'perf stat' result", " - kernel/events/uprobes: handle device-exclusive entries correctly in", " __replace_page()", " - kexec: initialize ELF lowest address to ULONG_MAX", " - ocfs2: validate l_tree_depth to avoid out-of-bounds access", " - reboot: replace __hw_protection_shutdown bool action parameter with an enum", " - reboot: reboot, not shutdown, on hw_protection_reboot timeout", " - arch/powerpc: drop GENERIC_PTDUMP from mpc885_ads_defconfig", " - writeback: let trace_balance_dirty_pages() take struct dtc as parameter", " - writeback: fix calculations in trace_balance_dirty_pages() for cgwb", " - scripts/gdb/linux/symbols.py: address changes to module_sect_attrs", " - NFSv4: Don't trigger uneccessary scans for return-on-close delegations", " - NFSv4: Avoid unnecessary scans of filesystems for returning delegations", " - NFSv4: Avoid unnecessary scans of filesystems for expired delegations", " - NFSv4: Avoid unnecessary scans of filesystems for delayed delegations", " - NFS: fix open_owner_id_maxsz and related fields.", " - fuse: fix dax truncate/punch_hole fault path", " - selftests/mm/cow: fix the incorrect error handling", " - um: Pass the correct Rust target and options with gcc", " - um: remove copy_from_kernel_nofault_allowed", " - um: hostfs: avoid issues on inode number reuse by host", " - i3c: master: svc: Fix missing the IBI rules", " - perf python: Fixup description of sample.id event member", " - perf python: Decrement the refcount of just created event on failure", " - perf python: Don't keep a raw_data pointer to consumed ring buffer space", " - perf python: Check if there is space to copy all the event", " - perf dso: fix dso__is_kallsyms() check", " - perf: intel-tpebs: Fix incorrect usage of zfree()", " - perf pmu: Handle memory failure in tool_pmu__new()", " - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES", " - staging: vchiq_arm: Register debugfs after cdev", " - staging: vchiq_arm: Fix possible NPR of keep-alive thread", " - staging: vchiq_arm: Stop kthreads if vchiq cdev register fails", " - tty: n_tty: use uint for space returned by tty_write_room()", " - perf vendor events arm64 AmpereOneX: Fix frontend_bound calculation", " - fs/procfs: fix the comment above proc_pid_wchan()", " - perf tools: Fix is_compat_mode build break in ppc64", " - perf tools: annotate asm_pure_loop.S", " - perf bpf-filter: Fix a parsing error with comma", " - objtool: Handle various symbol types of rodata", " - objtool: Handle different entry size of rodata", " - objtool: Handle PC relative relocation type", " - objtool: Fix detection of consecutive jump tables on Clang 20", " - thermal: core: Remove duplicate struct declaration", " - objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq()", " - objtool, nvmet: Fix out-of-bounds stack access in nvmet_ctrl_state_show()", " - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()", " - NFS: Shut down the nfs_client only after all the superblocks", " - smb: client: Fix netns refcount imbalance causing leaks and use-after-free", " - exfat: fix the infinite loop in exfat_find_last_cluster()", " - exfat: fix missing shutdown check", " - rtnetlink: Allocate vfinfo size for VF GUIDs when supported", " - rndis_host: Flag RNDIS modems as WWAN devices", " - ksmbd: use aead_request_free to match aead_request_alloc", " - ksmbd: fix multichannel connection failure", " - ksmbd: fix r_count dec/increment mismatch", " - net/mlx5e: SHAMPO, Make reserved size independent of page size", " - ring-buffer: Fix bytes_dropped calculation issue", " - objtool: Fix segfault in ignore_unreachable_insn()", " - LoongArch: Fix help text of CMDLINE_EXTEND in Kconfig", " - LoongArch: Fix device node refcount leak in fdt_cpu_clk_init()", " - LoongArch: Rework the arch_kgdb_breakpoint() implementation", " - ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are", " invalid", " - net: phy: broadcom: Correct BCM5221 PHY model detection", " - octeontx2-af: Fix mbox INTR handler when num VFs > 64", " - octeontx2-af: Free NIX_AF_INT_VEC_GEN irq", " - objtool: Fix verbose disassembly if CROSS_COMPILE isn't set", " - sched/smt: Always inline sched_smt_active()", " - context_tracking: Always inline ct_{nmi,irq}_{enter,exit}()", " - rcu-tasks: Always inline rcu_irq_work_resched()", " - objtool/loongarch: Add unwind hints in prepare_frametrace()", " - nfs: Add missing release on error in nfs_lock_and_join_requests()", " - rtc: renesas-rtca3: Disable interrupts only if the RTC is enabled", " - spufs: fix a leak on spufs_new_file() failure", " - spufs: fix gang directory lifetimes", " - spufs: fix a leak in spufs_create_context()", " - fs/9p: fix NULL pointer dereference on mkdir", " - riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and", " make_call_ra", " - riscv: Fix the __riscv_copy_vec_words_unaligned implementation", " - riscv: Fix missing __free_pages() in check_vector_unaligned_access()", " - riscv: fgraph: Select HAVE_FUNCTION_GRAPH_TRACER depends on", " HAVE_DYNAMIC_FTRACE_WITH_ARGS", " - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans", " - ntb: intel: Fix using link status DB's", " - riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of", " ftrace_return_to_handler", " - riscv: Annotate unaligned access init functions", " - riscv: Fix riscv_online_cpu_vec", " - riscv: Fix check_unaligned_access_all_cpus", " - riscv: Change check_unaligned_access_speed_all_cpus to void", " - riscv: Fix set up of cpu hotplug callbacks", " - riscv: Fix set up of vector cpu hotplug callback", " - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success", " - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA", " - RISC-V: errata: Use medany for relocatable builds", " - x86/uaccess: Improve performance by aligning writes to 8 bytes in", " copy_user_generic(), on non-FSRM/ERMS CPUs", " - ublk: make sure ubq->canceling is set when queue is frozen", " - s390/entry: Fix setting _CIF_MCCK_GUEST with lowcore relocation", " - ASoC: codecs: rt5665: Fix some error handling paths in rt5665_probe()", " - spi: cadence: Fix out-of-bounds array access in cdns_mrvl_xspi_setup_clock()", " - riscv: Fix hugetlb retrieval of number of ptes in case of !present pte", " - riscv/kexec_file: Handle R_RISCV_64 in purgatory relocator", " - riscv/purgatory: 4B align purgatory_start", " - nvme/ioctl: don't warn on vectorized uring_cmd with fixed buffer", " - nvme-pci: skip nvme_write_sq_db on empty rqlist", " - ASoC: imx-card: Add NULL check in imx_card_probe()", " - spi: bcm2835: Do not call gpiod_put() on invalid descriptor", " - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model", " - spi: bcm2835: Restore native CS probing when pinctrl-bcm2835 is absent", " - xsk: Add launch time hardware offload support to XDP Tx metadata", " - igc: Refactor empty frame insertion for launch time support", " - igc: Add launch time support to XDP ZC", " - igc: Fix TX drops in XDP ZC", " - e1000e: change k1 configuration on MTP and later platforms", " - ixgbe: fix media type detection for E610 device", " - idpf: fix adapter NULL pointer dereference on reboot", " - netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets", " only", " - netfilter: nf_tables: don't unregister hook when table is dormant", " - netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets", " - net_sched: skbprio: Remove overly strict queue assertions", " - sctp: add mutual exclusion in proc_sctp_do_udp_port()", " - net: airoha: Fix qid report in airoha_tc_get_htb_get_leaf_queue()", " - net: airoha: Fix ETS priomap validation", " - net: mvpp2: Prevent parser TCAM memory corruption", " - rtnetlink: Use register_pernet_subsys() in rtnl_net_debug_init().", " - udp: Fix multiple wraparounds of sk->sk_rmem_alloc.", " - udp: Fix memory accounting leak.", " - vsock: avoid timeout during connect() if the socket is closing", " - tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().", " - xsk: Fix __xsk_generic_xmit() error code when cq is full", " - net: decrease cached dst counters in dst_release", " - netfilter: nft_tunnel: fix geneve_opt type confusion addition", " - sfc: rip out MDIO support", " - sfc: fix NULL dereferences in ef100_process_design_param()", " - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS", " - net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on destroy", " - net: fix geneve_opt length integer overflow", " - ipv6: Start path selection from the first nexthop", " - ipv6: Do not consider link down nexthops in path selection", " - arcnet: Add NULL check in com20020pci_probe()", " - net: ibmveth: make veth_pool_store stop hanging", " - netlink: specs: rt_route: pull the ifa- prefix out of the names", " - tools/power turbostat: Allow Zero return value for some RAPL registers", " - kbuild: deb-pkg: don't set KBUILD_BUILD_VERSION unconditionally", " - drm/xe: Fix unmet direct dependencies warning", " - drm/amdgpu/gfx11: fix num_mec", " - drm/amdgpu/gfx12: fix num_mec", " - perf/core: Fix child_total_time_enabled accounting bug at task exit", " - tools/power turbostat: report CoreThr per measurement interval", " - tools/power turbostat: Restore GFX sysfs fflush() call", " - staging: gpib: ni_usb console messaging cleanup", " - staging: gpib: Fix Oops after disconnect in ni_usb", " - staging: gpib: agilent usb console messaging cleanup", " - staging: gpib: Fix Oops after disconnect in agilent usb", " - tty: serial: fsl_lpuart: Use u32 and u8 for register variables", " - tty: serial: fsl_lpuart: use port struct directly to simply code", " - tty: serial: fsl_lpuart: Fix unused variable 'sport' build warning", " - tty: serial: lpuart: only disable CTS instead of overwriting the whole", " UARTMODIR register", " - usbnet:fix NPE during rx_complete", " - rust: Fix enabling Rust and building with GCC for LoongArch", " - LoongArch: Increase ARCH_DMA_MINALIGN up to 16", " - LoongArch: Increase MAX_IO_PICS up to 8", " - LoongArch: BPF: Fix off-by-one error in build_prologue()", " - LoongArch: BPF: Don't override subprog's return value", " - LoongArch: BPF: Use move_addr() for BPF_PSEUDO_FUNC", " - x86/hyperv: Fix check of return value from snp_set_vmsa()", " - KVM: x86: block KVM_CAP_SYNC_REGS if guest state is protected", " - x86/microcode/AMD: Fix __apply_microcode_amd()'s return value", " - x86/mce: use is_copy_from_user() to determine copy-from-user context", " - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT", " - x86/tdx: Fix arch_safe_halt() execution for TDX VMs", " - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers", " - platform/x86: thinkpad_acpi: disable ACPI fan access for T495* and E560", " - platform/x86: ISST: Correct command storage data length", " - ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()", " - perf/x86/intel: Apply static call for drain_pebs", " - perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read", " - uprobes/x86: Harden uretprobe syscall trampoline check", " - bcachefs: bch2_ioctl_subvolume_destroy() fixes", " - x86/Kconfig: Add cmpxchg8b support back to Geode CPUs", " - x86/tsc: Always save/restore TSC sched_clock() on suspend/resume", " - x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs", " - ACPI: platform-profile: Fix CFI violation when accessing sysfs files", " - wifi: mt76: mt7925: remove unused acpi function for clc", " - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl", " - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP", " - ACPI: video: Handle fetching EDID as ACPI_TYPE_PACKAGE", " - ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE", " - [Config] updateconfigs for LD_CAN_USE_KEEP_IN_OVERLAY", " - ARM: 9444/1: add KEEP() keyword to ARM_VECTORS", " - media: omap3isp: Handle ARM dma_iommu_mapping", " - Remove unnecessary firmware version check for gc v9_4_2", " - mmc: omap: Fix memory leak in mmc_omap_new_slot", " - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability", " - mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD", " - KVM: SVM: Don't change target vCPU state on AP Creation VMGEXIT error", " - ksmbd: add bounds check for durable handle context", " - ksmbd: add bounds check for create lease context", " - ksmbd: fix use-after-free in ksmbd_sessions_deregister()", " - ksmbd: fix session use-after-free in multichannel connection", " - ksmbd: fix overflow in dacloffset bounds check", " - ksmbd: validate zero num_subauth before sub_auth is accessed", " - ksmbd: fix null pointer dereference in alloc_preauth_hash()", " - exfat: fix random stack corruption after get_block", " - exfat: fix potential wrong error return from get_block", " - tracing: Fix use-after-free in print_graph_function_flags during tracer", " switching", " - tracing: Ensure module defining synth event cannot be unloaded while tracing", " - tracing: Fix synth event printk format for str fields", " - tracing/osnoise: Fix possible recursive locking for cpus_read_lock()", " - tracing: Verify event formats that have \"%*p..\"", " - mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs", " - arm64: Don't call NULL in do_compat_alignment_fixup()", " - wifi: mt76: mt7921: fix kernel panic due to null pointer dereference", " - ext4: don't over-report free space or inodes in statvfs", " - ext4: fix OOB read when checking dotdot dir", " - PCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion", " - jfs: fix slab-out-of-bounds read in ea_get()", " - jfs: add index corruption check to DT_GETPAGE()", " - mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()", " - exec: fix the racy usage of fs_struct->in_exec", " - media: vimc: skip .s_stream() for stopped entities", " - media: streamzap: fix race between device disconnection and urb callback", " - nfsd: don't ignore the return code of svc_proc_register()", " - nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()", " - nfsd: put dl_stid if fail to queue dl_recall", " - NFSD: Add a Kconfig setting to enable delegated timestamps", " - [Config] disable new feature NFSD_V4_DELEG_TIMESTAMPS", " - nfsd: fix management of listener transports", " - NFSD: nfsd_unlink() clobbers non-zero status returned from", " fh_fill_pre_attrs()", " - NFSD: Never return NFS4ERR_FILE_OPEN when removing a directory", " - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up", " - perf pmu: Rename name matching for no suffix or wildcard variants", " - include/{topology,cpuset}: Move dl_rebuild_rd_accounting to cpuset.h", " - tracing: Do not use PERF enums when perf is not defined", " - ASoC: mediatek: mt6359: Fix DT parse error due to wrong child node name", " - Linux 6.14.2", "", " * Plucky update: v6.14.1 upstream stable release (LP: #2106661)", " - ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names", " - HID: hid-plantronics: Add mic mute mapping and generalize quirks", " - atm: Fix NULL pointer dereference", " - cgroup/rstat: Fix forceidle time in cpu.stat", " - netfilter: socket: Lookup orig tuple for IPv6 SNAT", " - ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx", " - ALSA: hda/realtek: Bass speaker fixup for ASUS UM5606KA", " - counter: stm32-lptimer-cnt: fix error handling when enabling", " - counter: microchip-tcb-capture: Fix undefined counter channel state on probe", " - tty: serial: 8250: Add some more device IDs", " - tty: serial: 8250: Add Brainboxes XC devices", " - tty: serial: fsl_lpuart: disable transmitter before changing RS485 related", " registers", " - net: usb: qmi_wwan: add Telit Cinterion FN990B composition", " - net: usb: qmi_wwan: add Telit Cinterion FE990B composition", " - net: usb: usbnet: restore usb%d name exception for local mac addresses", " - usb: xhci: Don't skip on Stopped - Length Invalid", " - usb: xhci: Apply the link chain quirk on NEC isoc endpoints", " - memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove", " - perf tools: Fix up some comments and code to properly use the event_source", " bus", " - serial: stm32: do not deassert RS485 RTS GPIO prematurely", " - serial: 8250_dma: terminate correct DMA in tx_dma_flush()", " - Linux 6.14.1", "", " * Null pointer dereference in gVNIC driver (LP: #2106281)", " - gve: unlink old napi only if page pool exists", "", " * Miscellaneous upstream changes", " - Revert \"net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken\"", " - Revert \"drm: fsl-dcu: enable PIXCLK on LS1021A\"", " - Revert \"m68k: mvme147: Reinstate early console\"", " - Revert \"MAINTAINERS: appoint myself the XFS maintainer for 6.12 LTS\"", "" ], "package": "linux", "version": "6.14.0-17.17", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2109741, 1786013, 2109367, 2108854, 2108854, 2103496, 2103617, 2103480, 2104893, 2106449, 2097818, 2107212, 2106661, 2106281 ], "author": "Mehmet Basaran ", "date": "Thu, 01 May 2025 10:39:35 +0300" } ], "notes": "linux-modules-6.14.0-32-generic version '6.14.0-32.32' (source package linux version '6.14.0-32.32') was added. linux-modules-6.14.0-32-generic version '6.14.0-32.32' has the same source package name, linux, as removed package linux-modules-6.14.0-15-generic. As such we can use the source package version of the removed package, '6.14.0-15.15', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.14.0-15-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-15.15", "version": "6.14.0-15.15" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-15-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-15.15", "version": "6.14.0-15.15" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.04 plucky image from release image serial 20250617 to 20250923", "from_series": "plucky", "to_series": "plucky", "from_serial": "20250617", "to_serial": "20250923", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }