Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-1517
Vulnerability from csaf_certbund
Published
2025-07-08 22:00
Modified
2025-08-31 22:00
Summary
Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht näher spezifizierte Auswirkungen zu erzielen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder nicht n\u00e4her spezifizierte Auswirkungen zu erzielen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2025-1517 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1517.json" }, { "category": "self", "summary": "WID-SEC-2025-1517 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1517" }, { "category": "external", "summary": "Kernel CVE Announce Mailingliste", "url": "https://lore.kernel.org/linux-cve-announce/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38238", "url": "https://lore.kernel.org/linux-cve-announce/2025070930-CVE-2025-38238-dae2@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38241", "url": "https://lore.kernel.org/linux-cve-announce/2025070933-CVE-2025-38241-a50c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38242", "url": "https://lore.kernel.org/linux-cve-announce/2025070933-CVE-2025-38242-8f85@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38243", "url": "https://lore.kernel.org/linux-cve-announce/2025070933-CVE-2025-38243-4b56@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38244", "url": "https://lore.kernel.org/linux-cve-announce/2025070933-CVE-2025-38244-6c2c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38245", "url": "https://lore.kernel.org/linux-cve-announce/2025070933-CVE-2025-38245-a430@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38246", "url": "https://lore.kernel.org/linux-cve-announce/2025070934-CVE-2025-38246-2386@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38247", "url": "https://lore.kernel.org/linux-cve-announce/2025070934-CVE-2025-38247-14ac@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38248", "url": "https://lore.kernel.org/linux-cve-announce/2025070934-CVE-2025-38248-003c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38249", "url": "https://lore.kernel.org/linux-cve-announce/2025070934-CVE-2025-38249-a6a3@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38250", "url": "https://lore.kernel.org/linux-cve-announce/2025070934-CVE-2025-38250-3145@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38251", "url": "https://lore.kernel.org/linux-cve-announce/2025070934-CVE-2025-38251-3894@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38252", "url": "https://lore.kernel.org/linux-cve-announce/2025070935-CVE-2025-38252-41d6@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38253", "url": "https://lore.kernel.org/linux-cve-announce/2025070935-CVE-2025-38253-a33e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38254", "url": "https://lore.kernel.org/linux-cve-announce/2025070935-CVE-2025-38254-7416@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38255", "url": "https://lore.kernel.org/linux-cve-announce/2025070935-CVE-2025-38255-57aa@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38256", "url": "https://lore.kernel.org/linux-cve-announce/2025070935-CVE-2025-38256-01cc@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38257", "url": "https://lore.kernel.org/linux-cve-announce/2025070935-CVE-2025-38257-3e5d@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38258", "url": "https://lore.kernel.org/linux-cve-announce/2025070936-CVE-2025-38258-4e00@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38259", "url": "https://lore.kernel.org/linux-cve-announce/2025070936-CVE-2025-38259-a05a@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38260", "url": "https://lore.kernel.org/linux-cve-announce/2025070936-CVE-2025-38260-c8c1@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38261", "url": "https://lore.kernel.org/linux-cve-announce/2025070936-CVE-2025-38261-54c0@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38262", "url": "https://lore.kernel.org/linux-cve-announce/2025070936-CVE-2025-38262-419f@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38263", "url": "https://lore.kernel.org/linux-cve-announce/2025070937-CVE-2025-38263-cc93@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38264", "url": "https://lore.kernel.org/linux-cve-announce/2025070937-CVE-2025-38264-ffd2@gregkh/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02588-1 vom 2025-08-01", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQYPF6FAXKWBHQ4POBUPZVPW4L73XJR5/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:12662 vom 2025-08-04", "url": "https://access.redhat.com/errata/RHSA-2025:12662" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-12662 vom 2025-08-11", "url": "https://linux.oracle.com/errata/ELSA-2025-12662.html" }, { "category": "external", "summary": "Debian Security Advisory DSA-5973 vom 2025-08-12", "url": "https://lists.debian.org/debian-security-announce/2025/msg00137.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:13960 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:13960" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:13961 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:13961" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:13962 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:13962" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02851-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022202.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14009 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:14009" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02846-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022192.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02850-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022203.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-13960 vom 2025-08-19", "url": "https://linux.oracle.com/errata/ELSA-2025-13960.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02848-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022193.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02853-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022200.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02852-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022201.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02849-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022204.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02923-1 vom 2025-08-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022237.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-13962 vom 2025-08-20", "url": "https://linux.oracle.com/errata/ELSA-2025-13962.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-14009 vom 2025-08-22", "url": "https://linux.oracle.com/errata/ELSA-2025-14009.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02969-1 vom 2025-08-25", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022259.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14692 vom 2025-08-27", "url": "https://access.redhat.com/errata/RHSA-2025:14692" }, { "category": "external", "summary": "Red Hat vom 2025-08-27", "url": "https://access.redhat.com/errata/RHSA-2025:14742" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02997-1 vom 2025-08-27", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022283.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02996-1 vom 2025-08-27", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022291.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20577-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022304.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20586-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022295.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:03011-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022327.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:03023-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022329.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20601-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022363.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20602-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022362.html" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service", "tracking": { "current_release_date": "2025-08-31T22:00:00.000+00:00", "generator": { "date": "2025-09-01T07:27:13.717+00:00", "engine": { "name": "BSI-WID", "version": "1.4.0" } }, "id": "WID-SEC-W-2025-1517", "initial_release_date": "2025-07-08T22:00:00.000+00:00", "revision_history": [ { "date": "2025-07-08T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2025-07-09T22:00:00.000+00:00", "number": "2", "summary": "Referenz(en) aufgenommen: EUVD-2025-20810, EUVD-2025-20798, EUVD-2025-20812, EUVD-2025-20797, EUVD-2025-20803, EUVD-2025-20802, EUVD-2025-20801, EUVD-2025-20811, EUVD-2025-20820, EUVD-2025-20819, EUVD-2025-20818, EUVD-2025-20822, EUVD-2025-20817, EUVD-2025-20816, EUVD-2025-20799, EUVD-2025-20815, EUVD-2025-20800, EUVD-2025-20814, EUVD-2025-20813, EUVD-2025-20809, EUVD-2025-20808, EUVD-2025-20807, EUVD-2025-20806, EUVD-2025-20805, EUVD-2025-20804" }, { "date": "2025-08-03T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von SUSE und Red Hat aufgenommen" }, { "date": "2025-08-11T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2025-08-12T22:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2025-08-17T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2025-08-18T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE, Red Hat und Oracle Linux aufgenommen" }, { "date": "2025-08-19T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-21T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2025-08-24T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-26T22:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2025-08-27T22:00:00.000+00:00", "number": "12", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-28T22:00:00.000+00:00", "number": "13", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-31T22:00:00.000+00:00", "number": "14", "summary": "Neue Updates von SUSE aufgenommen" } ], "status": "final", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T008144", "product_identification_helper": { "cpe": "cpe:/a:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } }, { "category": "product_version", "name": "8.2", "product": { "name": "Red Hat Enterprise Linux 8.2", "product_id": "T046522", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8.2" } } } ], "category": "product_name", "name": "Enterprise Linux" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-38238", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38238" }, { "cve": "CVE-2025-38241", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38241" }, { "cve": "CVE-2025-38242", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38242" }, { "cve": "CVE-2025-38243", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38243" }, { "cve": "CVE-2025-38244", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38244" }, { "cve": "CVE-2025-38245", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38245" }, { "cve": "CVE-2025-38246", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38246" }, { "cve": "CVE-2025-38247", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38247" }, { "cve": "CVE-2025-38248", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38248" }, { "cve": "CVE-2025-38249", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38249" }, { "cve": "CVE-2025-38250", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38250" }, { "cve": "CVE-2025-38251", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38251" }, { "cve": "CVE-2025-38252", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38252" }, { "cve": "CVE-2025-38253", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38253" }, { "cve": "CVE-2025-38254", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38254" }, { "cve": "CVE-2025-38255", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38255" }, { "cve": "CVE-2025-38256", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38256" }, { "cve": "CVE-2025-38257", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38257" }, { "cve": "CVE-2025-38258", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38258" }, { "cve": "CVE-2025-38259", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38259" }, { "cve": "CVE-2025-38260", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38260" }, { "cve": "CVE-2025-38261", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38261" }, { "cve": "CVE-2025-38262", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38262" }, { "cve": "CVE-2025-38263", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38263" }, { "cve": "CVE-2025-38264", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T004914", "T046522", "T008144" ] }, "release_date": "2025-07-08T22:00:00.000+00:00", "title": "CVE-2025-38264" } ] }
CVE-2025-38250 (GCVE-0-2025-38250)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_core: Fix use-after-free in vhci_flush()
syzbot reported use-after-free in vhci_flush() without repro. [0]
From the splat, a thread close()d a vhci file descriptor while
its device was being used by iotcl() on another thread.
Once the last fd refcnt is released, vhci_release() calls
hci_unregister_dev(), hci_free_dev(), and kfree() for struct
vhci_data, which is set to hci_dev->dev->driver_data.
The problem is that there is no synchronisation after unlinking
hdev from hci_dev_list in hci_unregister_dev(). There might be
another thread still accessing the hdev which was fetched before
the unlink operation.
We can use SRCU for such synchronisation.
Let's run hci_dev_reset() under SRCU and wait for its completion
in hci_unregister_dev().
Another option would be to restore hci_dev->destruct(), which was
removed in commit 587ae086f6e4 ("Bluetooth: Remove unused
hci-destruct cb"). However, this would not be a good solution, as
we should not run hci_unregister_dev() while there are in-flight
ioctl() requests, which could lead to another data-race KCSAN splat.
Note that other drivers seem to have the same problem, for exmaple,
virtbt_remove().
[0]:
BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718
CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
skb_queue_purge include/linux/skbuff.h:3368 [inline]
vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69
hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]
hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592
sock_do_ioctl+0xd9/0x300 net/socket.c:1190
sock_ioctl+0x576/0x790 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcf5b98e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929
RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009
RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528
</TASK>
Allocated by task 6535:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635
misc_open+0x2bc/0x330 drivers/char/misc.c:161
chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf0/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3887 [inline]
path_openat+0x2ee5/0x3830 fs/name
---truncated---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/bluetooth/hci_core.h", "net/bluetooth/hci_core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "bc0819a25e04cd68ef3568cfa51b63118fea39a7", "status": "affected", "version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f", "versionType": "git" }, { "lessThan": "ce23b73f0f27e2dbeb81734a79db710f05aa33c6", "status": "affected", "version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f", "versionType": "git" }, { "lessThan": "0e5c144c557df910ab64d9c25d06399a9a735e65", "status": "affected", "version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f", "versionType": "git" }, { "lessThan": "1d6123102e9fbedc8d25bf4731da6d513173e49e", "status": "affected", "version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/bluetooth/hci_core.h", "net/bluetooth/hci_core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.4" }, { "lessThan": "3.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.97", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.97", "versionStartIncluding": "3.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "3.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "3.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix use-after-free in vhci_flush()\n\nsyzbot reported use-after-free in vhci_flush() without repro. [0]\n\nFrom the splat, a thread close()d a vhci file descriptor while\nits device was being used by iotcl() on another thread.\n\nOnce the last fd refcnt is released, vhci_release() calls\nhci_unregister_dev(), hci_free_dev(), and kfree() for struct\nvhci_data, which is set to hci_dev-\u003edev-\u003edriver_data.\n\nThe problem is that there is no synchronisation after unlinking\nhdev from hci_dev_list in hci_unregister_dev(). There might be\nanother thread still accessing the hdev which was fetched before\nthe unlink operation.\n\nWe can use SRCU for such synchronisation.\n\nLet\u0027s run hci_dev_reset() under SRCU and wait for its completion\nin hci_unregister_dev().\n\nAnother option would be to restore hci_dev-\u003edestruct(), which was\nremoved in commit 587ae086f6e4 (\"Bluetooth: Remove unused\nhci-destruct cb\"). However, this would not be a good solution, as\nwe should not run hci_unregister_dev() while there are in-flight\nioctl() requests, which could lead to another data-race KCSAN splat.\n\nNote that other drivers seem to have the same problem, for exmaple,\nvirtbt_remove().\n\n[0]:\nBUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\nBUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\nRead of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718\n\nCPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\n skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\n skb_queue_purge include/linux/skbuff.h:3368 [inline]\n vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69\n hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]\n hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592\n sock_do_ioctl+0xd9/0x300 net/socket.c:1190\n sock_ioctl+0x576/0x790 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fcf5b98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929\nRDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009\nRBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528\n \u003c/TASK\u003e\n\nAllocated by task 6535:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635\n misc_open+0x2bc/0x330 drivers/char/misc.c:161\n chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414\n do_dentry_open+0xdf0/0x1970 fs/open.c:964\n vfs_open+0x3b/0x340 fs/open.c:1094\n do_open fs/namei.c:3887 [inline]\n path_openat+0x2ee5/0x3830 fs/name\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:12.006Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/bc0819a25e04cd68ef3568cfa51b63118fea39a7" }, { "url": "https://git.kernel.org/stable/c/ce23b73f0f27e2dbeb81734a79db710f05aa33c6" }, { "url": "https://git.kernel.org/stable/c/0e5c144c557df910ab64d9c25d06399a9a735e65" }, { "url": "https://git.kernel.org/stable/c/1d6123102e9fbedc8d25bf4731da6d513173e49e" } ], "title": "Bluetooth: hci_core: Fix use-after-free in vhci_flush()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38250", "datePublished": "2025-07-09T10:42:30.294Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:12.006Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38247 (GCVE-0-2025-38247)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
userns and mnt_idmap leak in open_tree_attr(2)
Once want_mount_setattr() has returned a positive, it does require
finish_mount_kattr() to release ->mnt_userns. Failing do_mount_setattr()
does not change that.
As the result, we can end up leaking userns and possibly mnt_idmap as
well.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/namespace.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "142db4e76110dd80239f4e79810f85ea1735ad60", "status": "affected", "version": "c4a16820d90199409c9bf01c4f794e1e9e8d8fd8", "versionType": "git" }, { "lessThan": "0748e553df0225754c316a92af3a77fdc057b358", "status": "affected", "version": "c4a16820d90199409c9bf01c4f794e1e9e8d8fd8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/namespace.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserns and mnt_idmap leak in open_tree_attr(2)\n\nOnce want_mount_setattr() has returned a positive, it does require\nfinish_mount_kattr() to release -\u003emnt_userns. Failing do_mount_setattr()\ndoes not change that.\n\nAs the result, we can end up leaking userns and possibly mnt_idmap as\nwell." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:07.834Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/142db4e76110dd80239f4e79810f85ea1735ad60" }, { "url": "https://git.kernel.org/stable/c/0748e553df0225754c316a92af3a77fdc057b358" } ], "title": "userns and mnt_idmap leak in open_tree_attr(2)", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38247", "datePublished": "2025-07-09T10:42:28.531Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:07.834Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38255 (GCVE-0-2025-38255)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
While testing null_blk with configfs, echo 0 > poll_queues will trigger
following panic:
BUG: kernel NULL pointer dereference, address: 0000000000000010
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
RIP: 0010:__bitmap_or+0x48/0x70
Call Trace:
<TASK>
__group_cpus_evenly+0x822/0x8c0
group_cpus_evenly+0x2d9/0x490
blk_mq_map_queues+0x1e/0x110
null_map_queues+0xc9/0x170 [null_blk]
blk_mq_update_queue_map+0xdb/0x160
blk_mq_update_nr_hw_queues+0x22b/0x560
nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
nullb_device_poll_queues_store+0xa4/0x130 [null_blk]
configfs_write_iter+0x109/0x1d0
vfs_write+0x26e/0x6f0
ksys_write+0x79/0x180
__x64_sys_write+0x1d/0x30
x64_sys_call+0x45c4/0x45f0
do_syscall_64+0xa5/0x240
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from
kcalloc(), and later ZERO_SIZE_PTR will be deferenced.
Fix the problem by checking numgrps first in group_cpus_evenly(), and
return NULL directly if numgrps is zero.
[yukuai3@huawei.com: also fix the non-SMP version]
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "lib/group_cpus.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "64a99eff8dcf1f951a544e6058341b2b19a8fdbd", "status": "affected", "version": "6a6dcae8f486c3f3298d0767d34505121c7b0b81", "versionType": "git" }, { "lessThan": "29d39e0d5f16c060e32542b2cf351c09fd22b250", "status": "affected", "version": "6a6dcae8f486c3f3298d0767d34505121c7b0b81", "versionType": "git" }, { "lessThan": "911ef2e8a7de5b2bae8ff11fb0bd01f699e6db65", "status": "affected", "version": "6a6dcae8f486c3f3298d0767d34505121c7b0b81", "versionType": "git" }, { "lessThan": "df831e97739405ecbaddb85516bc7d4d1c933d6b", "status": "affected", "version": "6a6dcae8f486c3f3298d0767d34505121c7b0b81", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "lib/group_cpus.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()\n\nWhile testing null_blk with configfs, echo 0 \u003e poll_queues will trigger\nfollowing panic:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nRIP: 0010:__bitmap_or+0x48/0x70\nCall Trace:\n \u003cTASK\u003e\n __group_cpus_evenly+0x822/0x8c0\n group_cpus_evenly+0x2d9/0x490\n blk_mq_map_queues+0x1e/0x110\n null_map_queues+0xc9/0x170 [null_blk]\n blk_mq_update_queue_map+0xdb/0x160\n blk_mq_update_nr_hw_queues+0x22b/0x560\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_poll_queues_store+0xa4/0x130 [null_blk]\n configfs_write_iter+0x109/0x1d0\n vfs_write+0x26e/0x6f0\n ksys_write+0x79/0x180\n __x64_sys_write+0x1d/0x30\n x64_sys_call+0x45c4/0x45f0\n do_syscall_64+0xa5/0x240\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRoot cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from\nkcalloc(), and later ZERO_SIZE_PTR will be deferenced.\n\nFix the problem by checking numgrps first in group_cpus_evenly(), and\nreturn NULL directly if numgrps is zero.\n\n[yukuai3@huawei.com: also fix the non-SMP version]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:19.675Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/64a99eff8dcf1f951a544e6058341b2b19a8fdbd" }, { "url": "https://git.kernel.org/stable/c/29d39e0d5f16c060e32542b2cf351c09fd22b250" }, { "url": "https://git.kernel.org/stable/c/911ef2e8a7de5b2bae8ff11fb0bd01f699e6db65" }, { "url": "https://git.kernel.org/stable/c/df831e97739405ecbaddb85516bc7d4d1c933d6b" } ], "title": "lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38255", "datePublished": "2025-07-09T10:42:33.225Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:19.675Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38253 (GCVE-0-2025-38253)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: wacom: fix crash in wacom_aes_battery_handler()
Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended
inactivity") introduced wacom_aes_battery_handler() which is scheduled
as a delayed work (aes_battery_work).
In wacom_remove(), aes_battery_work is not canceled. Consequently, if
the device is removed while aes_battery_work is still pending, then hard
crashes or "Oops: general protection fault..." are experienced when
wacom_aes_battery_handler() is finally called. E.g., this happens with
built-in USB devices after resume from hibernate when aes_battery_work
was still pending at the time of hibernation.
So, take care to cancel aes_battery_work in wacom_remove().
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/wacom_sys.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a4f182ffa30c52ad1c8e12edfb8049ee748c0f1b", "status": "affected", "version": "fd2a9b29dc9c4c35def91d5d1c5b470843539de6", "versionType": "git" }, { "lessThan": "57a3d82200dbeccd002244b96acad570eeeb731f", "status": "affected", "version": "fd2a9b29dc9c4c35def91d5d1c5b470843539de6", "versionType": "git" }, { "lessThan": "f3054152c12e2eed1e72704aff47b0ea58229584", "status": "affected", "version": "fd2a9b29dc9c4c35def91d5d1c5b470843539de6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/wacom_sys.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "6.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix crash in wacom_aes_battery_handler()\n\nCommit fd2a9b29dc9c (\"HID: wacom: Remove AES power_supply after extended\ninactivity\") introduced wacom_aes_battery_handler() which is scheduled\nas a delayed work (aes_battery_work).\n\nIn wacom_remove(), aes_battery_work is not canceled. Consequently, if\nthe device is removed while aes_battery_work is still pending, then hard\ncrashes or \"Oops: general protection fault...\" are experienced when\nwacom_aes_battery_handler() is finally called. E.g., this happens with\nbuilt-in USB devices after resume from hibernate when aes_battery_work\nwas still pending at the time of hibernation.\n\nSo, take care to cancel aes_battery_work in wacom_remove()." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:16.609Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a4f182ffa30c52ad1c8e12edfb8049ee748c0f1b" }, { "url": "https://git.kernel.org/stable/c/57a3d82200dbeccd002244b96acad570eeeb731f" }, { "url": "https://git.kernel.org/stable/c/f3054152c12e2eed1e72704aff47b0ea58229584" } ], "title": "HID: wacom: fix crash in wacom_aes_battery_handler()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38253", "datePublished": "2025-07-09T10:42:32.059Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:16.609Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38249 (GCVE-0-2025-38249)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()
In snd_usb_get_audioformat_uac3(), the length value returned from
snd_usb_ctl_msg() is used directly for memory allocation without
validation. This length is controlled by the USB device.
The allocated buffer is cast to a uac3_cluster_header_descriptor
and its fields are accessed without verifying that the buffer
is large enough. If the device returns a smaller than expected
length, this leads to an out-of-bounds read.
Add a length check to ensure the buffer is large enough for
uac3_cluster_header_descriptor.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf Version: 9a2fe9b801f585baccf8352d82839dcd54b300cf |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "sound/usb/stream.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "24ff7d465c4284529bbfa207757bffb6f44b6403", "status": "affected", "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf", "versionType": "git" }, { "lessThan": "2dc1c3edf67abd30c757f8054a5da61927cdda21", "status": "affected", "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf", "versionType": "git" }, { "lessThan": "c3fb926abe90d86f5e3055e0035f04d9892a118b", "status": "affected", "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf", "versionType": "git" }, { "lessThan": "6eb211788e1370af52a245d4d7da35c374c7b401", "status": "affected", "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf", "versionType": "git" }, { "lessThan": "74fcb3852a2f579151ce80b9ed96cd916ba0d5d8", "status": "affected", "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf", "versionType": "git" }, { "lessThan": "0ee87c2814deb5e42921281116ac3abcb326880b", "status": "affected", "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf", "versionType": "git" }, { "lessThan": "11e740dc1a2c8590eb7074b5c4ab921bb6224c36", "status": "affected", "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf", "versionType": "git" }, { "lessThan": "fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a", "status": "affected", "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "sound/usb/stream.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.17" }, { "lessThan": "4.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.296", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.240", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.187", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.143", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.296", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.240", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.187", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.143", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.17", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()\n\nIn snd_usb_get_audioformat_uac3(), the length value returned from\nsnd_usb_ctl_msg() is used directly for memory allocation without\nvalidation. This length is controlled by the USB device.\n\nThe allocated buffer is cast to a uac3_cluster_header_descriptor\nand its fields are accessed without verifying that the buffer\nis large enough. If the device returns a smaller than expected\nlength, this leads to an out-of-bounds read.\n\nAdd a length check to ensure the buffer is large enough for\nuac3_cluster_header_descriptor." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:10.661Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/24ff7d465c4284529bbfa207757bffb6f44b6403" }, { "url": "https://git.kernel.org/stable/c/2dc1c3edf67abd30c757f8054a5da61927cdda21" }, { "url": "https://git.kernel.org/stable/c/c3fb926abe90d86f5e3055e0035f04d9892a118b" }, { "url": "https://git.kernel.org/stable/c/6eb211788e1370af52a245d4d7da35c374c7b401" }, { "url": "https://git.kernel.org/stable/c/74fcb3852a2f579151ce80b9ed96cd916ba0d5d8" }, { "url": "https://git.kernel.org/stable/c/0ee87c2814deb5e42921281116ac3abcb326880b" }, { "url": "https://git.kernel.org/stable/c/11e740dc1a2c8590eb7074b5c4ab921bb6224c36" }, { "url": "https://git.kernel.org/stable/c/fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a" } ], "title": "ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38249", "datePublished": "2025-07-09T10:42:29.704Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:10.661Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38246 (GCVE-0-2025-38246)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt: properly flush XDP redirect lists
We encountered following crash when testing a XDP_REDIRECT feature
in production:
[56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd
40f30).
[56251.601413] ------------[ cut here ]------------
[56251.611357] kernel BUG at lib/list_debug.c:29!
[56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6.
3 #1
[56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE
[56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025
[56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0
[56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48
89 c6 e8 25 16 fe ff <0f> 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89
[56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246
[56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000
[56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80
[56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18
[56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000
[56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40
[56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000
[56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0
[56251.831365] PKRU: 55555554
[56251.838653] Call Trace:
[56251.845560] <IRQ>
[56251.851943] cpu_map_enqueue.cold+0x5/0xa
[56251.860243] xdp_do_redirect+0x2d9/0x480
[56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en]
[56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en]
[56251.885665] ? cpu_max_write+0x1e/0x100
[56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5
[56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en]
[56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en]
[56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5
[56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5
[56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5
[56251.944250] __napi_poll+0x2b/0x160
[56251.951155] bpf_trampoline_6442548651+0x79/0x123
[56251.959262] __napi_poll+0x5/0x160
[56251.966037] net_rx_action+0x3d2/0x880
[56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5
[56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5
[56251.989262] ? __hrtimer_run_queues+0x162/0x2a0
[56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5
[56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5
[56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en]
[56252.019903] handle_softirqs+0xcf/0x270
[56252.026650] irq_exit_rcu+0x67/0x90
[56252.032933] common_interrupt+0x85/0xa0
[56252.039498] </IRQ>
[56252.044246] <TASK>
[56252.048935] asm_common_interrupt+0x26/0x40
[56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420
[56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae
01 00 00 fb 45 85 f6 <0f> 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29
[56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202
[56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000
[56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000
[56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e
[56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860
[56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000
[56252.146667] ? cpuidle_enter_state+0xab/0x420
[56252.153909] cpuidle_enter+0x2d/0x40
[56252.160360] do_idle+0x176/0x1c0
[56252.166456
---truncated---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/broadcom/bnxt/bnxt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "16254aa985d14dee050564c4a3936f3dc096e1f7", "status": "affected", "version": "a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8", "versionType": "git" }, { "lessThan": "c6665b8f0f58082c480ed8627029f44d046ef2c8", "status": "affected", "version": "a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8", "versionType": "git" }, { "lessThan": "02bf488d56df9db4f5147280b65d9011e1ab88d2", "status": "affected", "version": "a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8", "versionType": "git" }, { "lessThan": "9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f", "status": "affected", "version": "a7559bc8c17c3f9a91dcbeefe8642ba757fd09e8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/broadcom/bnxt/bnxt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.97", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.97", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.19", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: properly flush XDP redirect lists\n\nWe encountered following crash when testing a XDP_REDIRECT feature\nin production:\n\n[56251.579676] list_add corruption. next-\u003eprev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd\n40f30).\n[56251.601413] ------------[ cut here ]------------\n[56251.611357] kernel BUG at lib/list_debug.c:29!\n[56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6.\n3 #1\n[56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE\n[56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025\n[56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0\n[56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48\n 89 c6 e8 25 16 fe ff \u003c0f\u003e 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89\n[56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246\n[56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000\n[56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80\n[56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18\n[56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000\n[56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40\n[56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000\n[56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0\n[56251.831365] PKRU: 55555554\n[56251.838653] Call Trace:\n[56251.845560] \u003cIRQ\u003e\n[56251.851943] cpu_map_enqueue.cold+0x5/0xa\n[56251.860243] xdp_do_redirect+0x2d9/0x480\n[56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en]\n[56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en]\n[56251.885665] ? cpu_max_write+0x1e/0x100\n[56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en]\n[56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en]\n[56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.944250] __napi_poll+0x2b/0x160\n[56251.951155] bpf_trampoline_6442548651+0x79/0x123\n[56251.959262] __napi_poll+0x5/0x160\n[56251.966037] net_rx_action+0x3d2/0x880\n[56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.989262] ? __hrtimer_run_queues+0x162/0x2a0\n[56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5\n[56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5\n[56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en]\n[56252.019903] handle_softirqs+0xcf/0x270\n[56252.026650] irq_exit_rcu+0x67/0x90\n[56252.032933] common_interrupt+0x85/0xa0\n[56252.039498] \u003c/IRQ\u003e\n[56252.044246] \u003cTASK\u003e\n[56252.048935] asm_common_interrupt+0x26/0x40\n[56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420\n[56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae\n 01 00 00 fb 45 85 f6 \u003c0f\u003e 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29\n[56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202\n[56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000\n[56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000\n[56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e\n[56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860\n[56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000\n[56252.146667] ? cpuidle_enter_state+0xab/0x420\n[56252.153909] cpuidle_enter+0x2d/0x40\n[56252.160360] do_idle+0x176/0x1c0\n[56252.166456\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:06.087Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/16254aa985d14dee050564c4a3936f3dc096e1f7" }, { "url": "https://git.kernel.org/stable/c/c6665b8f0f58082c480ed8627029f44d046ef2c8" }, { "url": "https://git.kernel.org/stable/c/02bf488d56df9db4f5147280b65d9011e1ab88d2" }, { "url": "https://git.kernel.org/stable/c/9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f" } ], "title": "bnxt: properly flush XDP redirect lists", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38246", "datePublished": "2025-07-09T10:42:27.908Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:06.087Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38264 (GCVE-0-2025-38264)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: sanitize request list handling
Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of
any list, otherwise a malicious R2T PDU might inject a loop in request
list processing.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/nvme/host/tcp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "78a4adcd3fedb0728436e8094848ebf4c6bae006", "status": "affected", "version": "3f2304f8c6d6ed97849057bd16fee99e434ca796", "versionType": "git" }, { "lessThan": "f054ea62598197714a6ca7b3b387a027308f8b13", "status": "affected", "version": "3f2304f8c6d6ed97849057bd16fee99e434ca796", "versionType": "git" }, { "lessThan": "0bf04c874fcb1ae46a863034296e4b33d8fbd66c", "status": "affected", "version": "3f2304f8c6d6ed97849057bd16fee99e434ca796", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/nvme/host/tcp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: sanitize request list handling\n\nValidate the request in nvme_tcp_handle_r2t() to ensure it\u0027s not part of\nany list, otherwise a malicious R2T PDU might inject a loop in request\nlist processing." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:37.400Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/78a4adcd3fedb0728436e8094848ebf4c6bae006" }, { "url": "https://git.kernel.org/stable/c/f054ea62598197714a6ca7b3b387a027308f8b13" }, { "url": "https://git.kernel.org/stable/c/0bf04c874fcb1ae46a863034296e4b33d8fbd66c" } ], "title": "nvme-tcp: sanitize request list handling", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38264", "datePublished": "2025-07-09T10:42:38.602Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:37.400Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38262 (GCVE-0-2025-38262)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: uartlite: register uart driver in init
When two instances of uart devices are probing, a concurrency race can
occur. If one thread calls uart_register_driver function, which first
allocates and assigns memory to 'uart_state' member of uart_driver
structure, the other instance can bypass uart driver registration and
call ulite_assign. This calls uart_add_one_port, which expects the uart
driver to be fully initialized. This leads to a kernel panic due to a
null pointer dereference:
[ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8
[ 8.156982] #PF: supervisor write access in kernel mode
[ 8.156984] #PF: error_code(0x0002) - not-present page
[ 8.156986] PGD 0 P4D 0
...
[ 8.180668] RIP: 0010:mutex_lock+0x19/0x30
[ 8.188624] Call Trace:
[ 8.188629] ? __die_body.cold+0x1a/0x1f
[ 8.195260] ? page_fault_oops+0x15c/0x290
[ 8.209183] ? __irq_resolve_mapping+0x47/0x80
[ 8.209187] ? exc_page_fault+0x64/0x140
[ 8.209190] ? asm_exc_page_fault+0x22/0x30
[ 8.209196] ? mutex_lock+0x19/0x30
[ 8.223116] uart_add_one_port+0x60/0x440
[ 8.223122] ? proc_tty_register_driver+0x43/0x50
[ 8.223126] ? tty_register_driver+0x1ca/0x1e0
[ 8.246250] ulite_probe+0x357/0x4b0 [uartlite]
To prevent it, move uart driver registration in to init function. This
will ensure that uart_driver is always registered when probe function
is called.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 Version: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 Version: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 Version: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 Version: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 Version: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 Version: 238b8721a554a33a451a3f13bdb5be8fe5cfc927 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/tty/serial/uartlite.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5015eed450005bab6e5cb6810f7a62eab0434fc4", "status": "affected", "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927", "versionType": "git" }, { "lessThan": "9c905fdbba68a6d73d39a6b7de9b9f0d6c46df87", "status": "affected", "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927", "versionType": "git" }, { "lessThan": "6db06aaea07bb7c8e33a425cf7b98bf29ee6056e", "status": "affected", "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927", "versionType": "git" }, { "lessThan": "8e958d10dd0ce5ae674cce460db5c9ca3f25243b", "status": "affected", "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927", "versionType": "git" }, { "lessThan": "685d29f2c5057b32c7b1b46f2a7d303b926c8f72", "status": "affected", "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927", "versionType": "git" }, { "lessThan": "f5e4229d94792b40e750f30c92bcf7a3107c72ef", "status": "affected", "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927", "versionType": "git" }, { "lessThan": "6bd697b5fc39fd24e2aa418c7b7d14469f550a93", "status": "affected", "version": "238b8721a554a33a451a3f13bdb5be8fe5cfc927", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/tty/serial/uartlite.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.20" }, { "lessThan": "2.6.20", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.296", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.187", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.143", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.296", "versionStartIncluding": "2.6.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.187", "versionStartIncluding": "2.6.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.143", "versionStartIncluding": "2.6.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "2.6.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "2.6.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "2.6.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.20", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: uartlite: register uart driver in init\n\nWhen two instances of uart devices are probing, a concurrency race can\noccur. If one thread calls uart_register_driver function, which first\nallocates and assigns memory to \u0027uart_state\u0027 member of uart_driver\nstructure, the other instance can bypass uart driver registration and\ncall ulite_assign. This calls uart_add_one_port, which expects the uart\ndriver to be fully initialized. This leads to a kernel panic due to a\nnull pointer dereference:\n\n[ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8\n[ 8.156982] #PF: supervisor write access in kernel mode\n[ 8.156984] #PF: error_code(0x0002) - not-present page\n[ 8.156986] PGD 0 P4D 0\n...\n[ 8.180668] RIP: 0010:mutex_lock+0x19/0x30\n[ 8.188624] Call Trace:\n[ 8.188629] ? __die_body.cold+0x1a/0x1f\n[ 8.195260] ? page_fault_oops+0x15c/0x290\n[ 8.209183] ? __irq_resolve_mapping+0x47/0x80\n[ 8.209187] ? exc_page_fault+0x64/0x140\n[ 8.209190] ? asm_exc_page_fault+0x22/0x30\n[ 8.209196] ? mutex_lock+0x19/0x30\n[ 8.223116] uart_add_one_port+0x60/0x440\n[ 8.223122] ? proc_tty_register_driver+0x43/0x50\n[ 8.223126] ? tty_register_driver+0x1ca/0x1e0\n[ 8.246250] ulite_probe+0x357/0x4b0 [uartlite]\n\nTo prevent it, move uart driver registration in to init function. This\nwill ensure that uart_driver is always registered when probe function\nis called." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:34.836Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5015eed450005bab6e5cb6810f7a62eab0434fc4" }, { "url": "https://git.kernel.org/stable/c/9c905fdbba68a6d73d39a6b7de9b9f0d6c46df87" }, { "url": "https://git.kernel.org/stable/c/6db06aaea07bb7c8e33a425cf7b98bf29ee6056e" }, { "url": "https://git.kernel.org/stable/c/8e958d10dd0ce5ae674cce460db5c9ca3f25243b" }, { "url": "https://git.kernel.org/stable/c/685d29f2c5057b32c7b1b46f2a7d303b926c8f72" }, { "url": "https://git.kernel.org/stable/c/f5e4229d94792b40e750f30c92bcf7a3107c72ef" }, { "url": "https://git.kernel.org/stable/c/6bd697b5fc39fd24e2aa418c7b7d14469f550a93" } ], "title": "tty: serial: uartlite: register uart driver in init", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38262", "datePublished": "2025-07-09T10:42:37.410Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:34.836Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38245 (GCVE-0-2025-38245)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().
syzbot reported a warning below during atm_dev_register(). [0]
Before creating a new device and procfs/sysfs for it, atm_dev_register()
looks up a duplicated device by __atm_dev_lookup(). These operations are
done under atm_dev_mutex.
However, when removing a device in atm_dev_deregister(), it releases the
mutex just after removing the device from the list that __atm_dev_lookup()
iterates over.
So, there will be a small race window where the device does not exist on
the device list but procfs/sysfs are still not removed, triggering the
splat.
Let's hold the mutex until procfs/sysfs are removed in
atm_dev_deregister().
[0]:
proc_dir_entry 'atm/atmtcp:0' already registered
WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377
Modules linked in:
CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377
Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48
RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248
RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001
RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140
R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444
FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_create_data+0xbe/0x110 fs/proc/generic.c:585
atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361
atm_dev_register+0x46d/0x890 net/atm/resources.c:113
atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369
atmtcp_attach drivers/atm/atmtcp.c:403 [inline]
atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159
sock_do_ioctl+0x115/0x280 net/socket.c:1190
sock_ioctl+0x227/0x6b0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f38b3b74459
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459
RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005
RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac
R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b
</TASK>
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 Version: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/atm/resources.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2a8dcee649d12f69713f2589171a1caf6d4fa439", "status": "affected", "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439", "versionType": "git" }, { "lessThan": "4bb1bb438134d9ee6b97cc07289dd7c569092eec", "status": "affected", "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439", "versionType": "git" }, { "lessThan": "26248d5d68c865b888d632162abbf8130645622c", "status": "affected", "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439", "versionType": "git" }, { "lessThan": "b2e40fcfe1575faaa548f87614006d3fe44c779e", "status": "affected", "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439", "versionType": "git" }, { "lessThan": "cabed6ba92a9a8c09da02a3f20e32ecd80989896", "status": "affected", "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439", "versionType": "git" }, { "lessThan": "ae539d963a17443ec54cba8a767e4ffa318264f4", "status": "affected", "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439", "versionType": "git" }, { "lessThan": "6922f1a048c090f10704bbef4a3a1e81932d2e0a", "status": "affected", "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439", "versionType": "git" }, { "lessThan": "a433791aeaea6e84df709e0b9584b9bbe040cd1c", "status": "affected", "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/atm/resources.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.15" }, { "lessThan": "2.6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.296", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.240", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.187", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.143", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.296", "versionStartIncluding": "2.6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.240", "versionStartIncluding": "2.6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.187", "versionStartIncluding": "2.6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.143", "versionStartIncluding": "2.6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "2.6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "2.6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "2.6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().\n\nsyzbot reported a warning below during atm_dev_register(). [0]\n\nBefore creating a new device and procfs/sysfs for it, atm_dev_register()\nlooks up a duplicated device by __atm_dev_lookup(). These operations are\ndone under atm_dev_mutex.\n\nHowever, when removing a device in atm_dev_deregister(), it releases the\nmutex just after removing the device from the list that __atm_dev_lookup()\niterates over.\n\nSo, there will be a small race window where the device does not exist on\nthe device list but procfs/sysfs are still not removed, triggering the\nsplat.\n\nLet\u0027s hold the mutex until procfs/sysfs are removed in\natm_dev_deregister().\n\n[0]:\nproc_dir_entry \u0027atm/atmtcp:0\u0027 already registered\nWARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377\nModules linked in:\nCPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nRIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377\nCode: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 \u003c0f\u003e 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48\nRSP: 0018:ffffc9000466fa30 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248\nRDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001\nRBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140\nR13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444\nFS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_create_data+0xbe/0x110 fs/proc/generic.c:585\n atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361\n atm_dev_register+0x46d/0x890 net/atm/resources.c:113\n atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369\n atmtcp_attach drivers/atm/atmtcp.c:403 [inline]\n atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464\n do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n sock_do_ioctl+0x115/0x280 net/socket.c:1190\n sock_ioctl+0x227/0x6b0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f38b3b74459\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459\nRDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005\nRBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac\nR13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b\n \u003c/TASK\u003e" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:04.621Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2a8dcee649d12f69713f2589171a1caf6d4fa439" }, { "url": "https://git.kernel.org/stable/c/4bb1bb438134d9ee6b97cc07289dd7c569092eec" }, { "url": "https://git.kernel.org/stable/c/26248d5d68c865b888d632162abbf8130645622c" }, { "url": "https://git.kernel.org/stable/c/b2e40fcfe1575faaa548f87614006d3fe44c779e" }, { "url": "https://git.kernel.org/stable/c/cabed6ba92a9a8c09da02a3f20e32ecd80989896" }, { "url": "https://git.kernel.org/stable/c/ae539d963a17443ec54cba8a767e4ffa318264f4" }, { "url": "https://git.kernel.org/stable/c/6922f1a048c090f10704bbef4a3a1e81932d2e0a" }, { "url": "https://git.kernel.org/stable/c/a433791aeaea6e84df709e0b9584b9bbe040cd1c" } ], "title": "atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38245", "datePublished": "2025-07-09T10:42:27.263Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:04.621Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38263 (GCVE-0-2025-38263)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bcache: fix NULL pointer in cache_set_flush()
1. LINE#1794 - LINE#1887 is some codes about function of
bch_cache_set_alloc().
2. LINE#2078 - LINE#2142 is some codes about function of
register_cache_set().
3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.
1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
1795 {
...
1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) ||
1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||
1862 mempool_init_kmalloc_pool(&c->bio_meta, 2,
1863 sizeof(struct bbio) + sizeof(struct bio_vec) *
1864 bucket_pages(c)) ||
1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||
1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),
1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||
1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||
1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc",
1870 WQ_MEM_RECLAIM, 0)) ||
1871 bch_journal_alloc(c) ||
1872 bch_btree_cache_alloc(c) ||
1873 bch_open_buckets_alloc(c) ||
1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))
1875 goto err;
^^^^^^^^
1876
...
1883 return c;
1884 err:
1885 bch_cache_set_unregister(c);
^^^^^^^^^^^^^^^^^^^^^^^^^^^
1886 return NULL;
1887 }
...
2078 static const char *register_cache_set(struct cache *ca)
2079 {
...
2098 c = bch_cache_set_alloc(&ca->sb);
2099 if (!c)
2100 return err;
^^^^^^^^^^
...
2128 ca->set = c;
2129 ca->set->cache[ca->sb.nr_this_dev] = ca;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
2138 return NULL;
2139 err:
2140 bch_cache_set_unregister(c);
2141 return err;
2142 }
(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and
call bch_cache_set_unregister()(LINE#1885).
(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.
(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the
value to c->cache[], it means that c->cache[] is NULL.
LINE#1624 - LINE#1665 is some codes about function of cache_set_flush().
As (1), in LINE#1885 call
bch_cache_set_unregister()
---> bch_cache_set_stop()
---> closure_queue()
-.-> cache_set_flush() (as below LINE#1624)
1624 static void cache_set_flush(struct closure *cl)
1625 {
...
1654 for_each_cache(ca, c, i)
1655 if (ca->alloc_thread)
^^
1656 kthread_stop(ca->alloc_thread);
...
1665 }
(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the
kernel crash occurred as below:
[ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory
[ 846.713242] bcache: register_bcache() error : failed to register device
[ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered
[ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8
[ 846.714790] PGD 0 P4D 0
[ 846.715129] Oops: 0000 [#1] SMP PTI
[ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1
[ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018
[ 846.716451] Workqueue: events cache_set_flush [bcache]
[ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]
[ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 Version: cafe563591446cf80bfbc2fe3bc72a2e36cf1060 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/bcache/super.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d54681938b777488e5dfb781b566d16adad991de", "status": "affected", "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060", "versionType": "git" }, { "lessThan": "1f25f2d3fa29325320c19a30abf787e0bd5fc91b", "status": "affected", "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060", "versionType": "git" }, { "lessThan": "c4f5e7e417034b05f5d2f5fa9a872db897da69bd", "status": "affected", "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060", "versionType": "git" }, { "lessThan": "553f560e0a74a7008ad9dba05c3fd05da296befb", "status": "affected", "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060", "versionType": "git" }, { "lessThan": "667c3f52373ff5354cb3543e27237eb7df7b2333", "status": "affected", "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060", "versionType": "git" }, { "lessThan": "3f9e128186c99a117e304f1dce6d0b9e50c63cd8", "status": "affected", "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060", "versionType": "git" }, { "lessThan": "1e46ed947ec658f89f1a910d880cd05e42d3763e", "status": "affected", "version": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/bcache/super.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.10" }, { "lessThan": "3.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.240", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.187", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.143", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.240", "versionStartIncluding": "3.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.187", "versionStartIncluding": "3.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.143", "versionStartIncluding": "3.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "3.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "3.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "3.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.10", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix NULL pointer in cache_set_flush()\n\n1. LINE#1794 - LINE#1887 is some codes about function of\n bch_cache_set_alloc().\n2. LINE#2078 - LINE#2142 is some codes about function of\n register_cache_set().\n3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.\n\n 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)\n 1795 {\n ...\n 1860 if (!(c-\u003edevices = kcalloc(c-\u003enr_uuids, sizeof(void *), GFP_KERNEL)) ||\n 1861 mempool_init_slab_pool(\u0026c-\u003esearch, 32, bch_search_cache) ||\n 1862 mempool_init_kmalloc_pool(\u0026c-\u003ebio_meta, 2,\n 1863 sizeof(struct bbio) + sizeof(struct bio_vec) *\n 1864 bucket_pages(c)) ||\n 1865 mempool_init_kmalloc_pool(\u0026c-\u003efill_iter, 1, iter_size) ||\n 1866 bioset_init(\u0026c-\u003ebio_split, 4, offsetof(struct bbio, bio),\n 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||\n 1868 !(c-\u003euuids = alloc_bucket_pages(GFP_KERNEL, c)) ||\n 1869 !(c-\u003emoving_gc_wq = alloc_workqueue(\"bcache_gc\",\n 1870 WQ_MEM_RECLAIM, 0)) ||\n 1871 bch_journal_alloc(c) ||\n 1872 bch_btree_cache_alloc(c) ||\n 1873 bch_open_buckets_alloc(c) ||\n 1874 bch_bset_sort_state_init(\u0026c-\u003esort, ilog2(c-\u003ebtree_pages)))\n 1875 goto err;\n ^^^^^^^^\n 1876\n ...\n 1883 return c;\n 1884 err:\n 1885 bch_cache_set_unregister(c);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n 1886 return NULL;\n 1887 }\n ...\n 2078 static const char *register_cache_set(struct cache *ca)\n 2079 {\n ...\n 2098 c = bch_cache_set_alloc(\u0026ca-\u003esb);\n 2099 if (!c)\n 2100 return err;\n ^^^^^^^^^^\n ...\n 2128 ca-\u003eset = c;\n 2129 ca-\u003eset-\u003ecache[ca-\u003esb.nr_this_dev] = ca;\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n ...\n 2138 return NULL;\n 2139 err:\n 2140 bch_cache_set_unregister(c);\n 2141 return err;\n 2142 }\n\n(1) If LINE#1860 - LINE#1874 is true, then do \u0027goto err\u0027(LINE#1875) and\n call bch_cache_set_unregister()(LINE#1885).\n(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.\n(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the\n value to c-\u003ecache[], it means that c-\u003ecache[] is NULL.\n\nLINE#1624 - LINE#1665 is some codes about function of cache_set_flush().\nAs (1), in LINE#1885 call\nbch_cache_set_unregister()\n---\u003e bch_cache_set_stop()\n ---\u003e closure_queue()\n -.-\u003e cache_set_flush() (as below LINE#1624)\n\n 1624 static void cache_set_flush(struct closure *cl)\n 1625 {\n ...\n 1654 for_each_cache(ca, c, i)\n 1655 if (ca-\u003ealloc_thread)\n ^^\n 1656 kthread_stop(ca-\u003ealloc_thread);\n ...\n 1665 }\n\n(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the\n kernel crash occurred as below:\n[ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory\n[ 846.713242] bcache: register_bcache() error : failed to register device\n[ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered\n[ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8\n[ 846.714790] PGD 0 P4D 0\n[ 846.715129] Oops: 0000 [#1] SMP PTI\n[ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1\n[ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018\n[ 846.716451] Workqueue: events cache_set_flush [bcache]\n[ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]\n[ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 \u003c48\u003e 8b b8 f8 09 00 0\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:36.043Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d54681938b777488e5dfb781b566d16adad991de" }, { "url": "https://git.kernel.org/stable/c/1f25f2d3fa29325320c19a30abf787e0bd5fc91b" }, { "url": "https://git.kernel.org/stable/c/c4f5e7e417034b05f5d2f5fa9a872db897da69bd" }, { "url": "https://git.kernel.org/stable/c/553f560e0a74a7008ad9dba05c3fd05da296befb" }, { "url": "https://git.kernel.org/stable/c/667c3f52373ff5354cb3543e27237eb7df7b2333" }, { "url": "https://git.kernel.org/stable/c/3f9e128186c99a117e304f1dce6d0b9e50c63cd8" }, { "url": "https://git.kernel.org/stable/c/1e46ed947ec658f89f1a910d880cd05e42d3763e" } ], "title": "bcache: fix NULL pointer in cache_set_flush()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38263", "datePublished": "2025-07-09T10:42:37.990Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:36.043Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38242 (GCVE-0-2025-38242)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: userfaultfd: fix race of userfaultfd_move and swap cache
This commit fixes two kinds of races, they may have different results:
Barry reported a BUG_ON in commit c50f8e6053b0, we may see the same
BUG_ON if the filemap lookup returned NULL and folio is added to swap
cache after that.
If another kind of race is triggered (folio changed after lookup) we
may see RSS counter is corrupted:
[ 406.893936] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0
type:MM_ANONPAGES val:-1
[ 406.894071] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0
type:MM_SHMEMPAGES val:1
Because the folio is being accounted to the wrong VMA.
I'm not sure if there will be any data corruption though, seems no.
The issues above are critical already.
On seeing a swap entry PTE, userfaultfd_move does a lockless swap cache
lookup, and tries to move the found folio to the faulting vma. Currently,
it relies on checking the PTE value to ensure that the moved folio still
belongs to the src swap entry and that no new folio has been added to the
swap cache, which turns out to be unreliable.
While working and reviewing the swap table series with Barry, following
existing races are observed and reproduced [1]:
In the example below, move_pages_pte is moving src_pte to dst_pte, where
src_pte is a swap entry PTE holding swap entry S1, and S1 is not in the
swap cache:
CPU1 CPU2
userfaultfd_move
move_pages_pte()
entry = pte_to_swp_entry(orig_src_pte);
// Here it got entry = S1
... < interrupted> ...
<swapin src_pte, alloc and use folio A>
// folio A is a new allocated folio
// and get installed into src_pte
<frees swap entry S1>
// src_pte now points to folio A, S1
// has swap count == 0, it can be freed
// by folio_swap_swap or swap
// allocator's reclaim.
<try to swap out another folio B>
// folio B is a folio in another VMA.
<put folio B to swap cache using S1 >
// S1 is freed, folio B can use it
// for swap out with no problem.
...
folio = filemap_get_folio(S1)
// Got folio B here !!!
... < interrupted again> ...
<swapin folio B and free S1>
// Now S1 is free to be used again.
<swapout src_pte & folio A using S1>
// Now src_pte is a swap entry PTE
// holding S1 again.
folio_trylock(folio)
move_swap_pte
double_pt_lock
is_pte_pages_stable
// Check passed because src_pte == S1
folio_move_anon_rmap(...)
// Moved invalid folio B here !!!
The race window is very short and requires multiple collisions of multiple
rare events, so it's very unlikely to happen, but with a deliberately
constructed reproducer and increased time window, it can be reproduced
easily.
This can be fixed by checking if the folio returned by filemap is the
valid swap cache folio after acquiring the folio lock.
Another similar race is possible: filemap_get_folio may return NULL, but
folio (A) could be swapped in and then swapped out again using the same
swap entry after the lookup. In such a case, folio (A) may remain in the
swap cache, so it must be moved too:
CPU1 CPU2
userfaultfd_move
move_pages_pte()
entry = pte_to_swp_entry(orig_src_pte);
// Here it got entry = S1, and S1 is not in swap cache
folio = filemap_get
---truncated---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/userfaultfd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4c443046d8c9ed8724a4f4c3c2457d3ac8814b2f", "status": "affected", "version": "adef440691bab824e39c1b17382322d195e1fab0", "versionType": "git" }, { "lessThan": "db2ca8074955ca64187a4fb596dd290b9c446cd3", "status": "affected", "version": "adef440691bab824e39c1b17382322d195e1fab0", "versionType": "git" }, { "lessThan": "0ea148a799198518d8ebab63ddd0bb6114a103bc", "status": "affected", "version": "adef440691bab824e39c1b17382322d195e1fab0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/userfaultfd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.37", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.37", "versionStartIncluding": "6.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: userfaultfd: fix race of userfaultfd_move and swap cache\n\nThis commit fixes two kinds of races, they may have different results:\n\nBarry reported a BUG_ON in commit c50f8e6053b0, we may see the same\nBUG_ON if the filemap lookup returned NULL and folio is added to swap\ncache after that.\n\nIf another kind of race is triggered (folio changed after lookup) we\nmay see RSS counter is corrupted:\n\n[ 406.893936] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0\ntype:MM_ANONPAGES val:-1\n[ 406.894071] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0\ntype:MM_SHMEMPAGES val:1\n\nBecause the folio is being accounted to the wrong VMA.\n\nI\u0027m not sure if there will be any data corruption though, seems no. \nThe issues above are critical already.\n\n\nOn seeing a swap entry PTE, userfaultfd_move does a lockless swap cache\nlookup, and tries to move the found folio to the faulting vma. Currently,\nit relies on checking the PTE value to ensure that the moved folio still\nbelongs to the src swap entry and that no new folio has been added to the\nswap cache, which turns out to be unreliable.\n\nWhile working and reviewing the swap table series with Barry, following\nexisting races are observed and reproduced [1]:\n\nIn the example below, move_pages_pte is moving src_pte to dst_pte, where\nsrc_pte is a swap entry PTE holding swap entry S1, and S1 is not in the\nswap cache:\n\nCPU1 CPU2\nuserfaultfd_move\n move_pages_pte()\n entry = pte_to_swp_entry(orig_src_pte);\n // Here it got entry = S1\n ... \u003c interrupted\u003e ...\n \u003cswapin src_pte, alloc and use folio A\u003e\n // folio A is a new allocated folio\n // and get installed into src_pte\n \u003cfrees swap entry S1\u003e\n // src_pte now points to folio A, S1\n // has swap count == 0, it can be freed\n // by folio_swap_swap or swap\n // allocator\u0027s reclaim.\n \u003ctry to swap out another folio B\u003e\n // folio B is a folio in another VMA.\n \u003cput folio B to swap cache using S1 \u003e\n // S1 is freed, folio B can use it\n // for swap out with no problem.\n ...\n folio = filemap_get_folio(S1)\n // Got folio B here !!!\n ... \u003c interrupted again\u003e ...\n \u003cswapin folio B and free S1\u003e\n // Now S1 is free to be used again.\n \u003cswapout src_pte \u0026 folio A using S1\u003e\n // Now src_pte is a swap entry PTE\n // holding S1 again.\n folio_trylock(folio)\n move_swap_pte\n double_pt_lock\n is_pte_pages_stable\n // Check passed because src_pte == S1\n folio_move_anon_rmap(...)\n // Moved invalid folio B here !!!\n\nThe race window is very short and requires multiple collisions of multiple\nrare events, so it\u0027s very unlikely to happen, but with a deliberately\nconstructed reproducer and increased time window, it can be reproduced\neasily.\n\nThis can be fixed by checking if the folio returned by filemap is the\nvalid swap cache folio after acquiring the folio lock.\n\nAnother similar race is possible: filemap_get_folio may return NULL, but\nfolio (A) could be swapped in and then swapped out again using the same\nswap entry after the lookup. In such a case, folio (A) may remain in the\nswap cache, so it must be moved too:\n\nCPU1 CPU2\nuserfaultfd_move\n move_pages_pte()\n entry = pte_to_swp_entry(orig_src_pte);\n // Here it got entry = S1, and S1 is not in swap cache\n folio = filemap_get\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:15:59.615Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4c443046d8c9ed8724a4f4c3c2457d3ac8814b2f" }, { "url": "https://git.kernel.org/stable/c/db2ca8074955ca64187a4fb596dd290b9c446cd3" }, { "url": "https://git.kernel.org/stable/c/0ea148a799198518d8ebab63ddd0bb6114a103bc" } ], "title": "mm: userfaultfd: fix race of userfaultfd_move and swap cache", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38242", "datePublished": "2025-07-09T10:42:25.396Z", "dateReserved": "2025-04-16T04:51:23.996Z", "dateUpdated": "2025-07-28T04:15:59.615Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38244 (GCVE-0-2025-38244)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential deadlock when reconnecting channels
Fix cifs_signal_cifsd_for_reconnect() to take the correct lock order
and prevent the following deadlock from happening
======================================================
WARNING: possible circular locking dependency detected
6.16.0-rc3-build2+ #1301 Tainted: G S W
------------------------------------------------------
cifsd/6055 is trying to acquire lock:
ffff88810ad56038 (&tcp_ses->srv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200
but task is already holding lock:
ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&ret_buf->chan_lock){+.+.}-{3:3}:
validate_chain+0x1cf/0x270
__lock_acquire+0x60e/0x780
lock_acquire.part.0+0xb4/0x1f0
_raw_spin_lock+0x2f/0x40
cifs_setup_session+0x81/0x4b0
cifs_get_smb_ses+0x771/0x900
cifs_mount_get_session+0x7e/0x170
cifs_mount+0x92/0x2d0
cifs_smb3_do_mount+0x161/0x460
smb3_get_tree+0x55/0x90
vfs_get_tree+0x46/0x180
do_new_mount+0x1b0/0x2e0
path_mount+0x6ee/0x740
do_mount+0x98/0xe0
__do_sys_mount+0x148/0x180
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #1 (&ret_buf->ses_lock){+.+.}-{3:3}:
validate_chain+0x1cf/0x270
__lock_acquire+0x60e/0x780
lock_acquire.part.0+0xb4/0x1f0
_raw_spin_lock+0x2f/0x40
cifs_match_super+0x101/0x320
sget+0xab/0x270
cifs_smb3_do_mount+0x1e0/0x460
smb3_get_tree+0x55/0x90
vfs_get_tree+0x46/0x180
do_new_mount+0x1b0/0x2e0
path_mount+0x6ee/0x740
do_mount+0x98/0xe0
__do_sys_mount+0x148/0x180
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #0 (&tcp_ses->srv_lock){+.+.}-{3:3}:
check_noncircular+0x95/0xc0
check_prev_add+0x115/0x2f0
validate_chain+0x1cf/0x270
__lock_acquire+0x60e/0x780
lock_acquire.part.0+0xb4/0x1f0
_raw_spin_lock+0x2f/0x40
cifs_signal_cifsd_for_reconnect+0x134/0x200
__cifs_reconnect+0x8f/0x500
cifs_handle_standard+0x112/0x280
cifs_demultiplex_thread+0x64d/0xbc0
kthread+0x2f7/0x310
ret_from_fork+0x2a/0x230
ret_from_fork_asm+0x1a/0x30
other info that might help us debug this:
Chain exists of:
&tcp_ses->srv_lock --> &ret_buf->ses_lock --> &ret_buf->chan_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ret_buf->chan_lock);
lock(&ret_buf->ses_lock);
lock(&ret_buf->chan_lock);
lock(&tcp_ses->srv_lock);
*** DEADLOCK ***
3 locks held by cifsd/6055:
#0: ffffffff857de398 (&cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200
#1: ffff888119c64060 (&ret_buf->ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200
#2: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/client/cifsglob.h", "fs/smb/client/connect.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c82c7041258d96e3286f6790ab700e4edd3cc9e3", "status": "affected", "version": "d7d7a66aacd6fd8ca57baf08a7bac5421282f6f8", "versionType": "git" }, { "lessThan": "7f3ead8ebc0ef65b6c89a13912b4e80218425629", "status": "affected", "version": "d7d7a66aacd6fd8ca57baf08a7bac5421282f6f8", "versionType": "git" }, { "lessThan": "fe035dc78aa6ca8f862857d45beaf7a0e03206ca", "status": "affected", "version": "d7d7a66aacd6fd8ca57baf08a7bac5421282f6f8", "versionType": "git" }, { "lessThan": "711741f94ac3cf9f4e3aa73aa171e76d188c0819", "status": "affected", "version": "d7d7a66aacd6fd8ca57baf08a7bac5421282f6f8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/client/cifsglob.h", "fs/smb/client/connect.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.0" }, { "lessThan": "6.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "6.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "6.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when reconnecting channels\n\nFix cifs_signal_cifsd_for_reconnect() to take the correct lock order\nand prevent the following deadlock from happening\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.16.0-rc3-build2+ #1301 Tainted: G S W\n------------------------------------------------------\ncifsd/6055 is trying to acquire lock:\nffff88810ad56038 (\u0026tcp_ses-\u003esrv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200\n\nbut task is already holding lock:\nffff888119c64330 (\u0026ret_buf-\u003echan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #2 (\u0026ret_buf-\u003echan_lock){+.+.}-{3:3}:\n validate_chain+0x1cf/0x270\n __lock_acquire+0x60e/0x780\n lock_acquire.part.0+0xb4/0x1f0\n _raw_spin_lock+0x2f/0x40\n cifs_setup_session+0x81/0x4b0\n cifs_get_smb_ses+0x771/0x900\n cifs_mount_get_session+0x7e/0x170\n cifs_mount+0x92/0x2d0\n cifs_smb3_do_mount+0x161/0x460\n smb3_get_tree+0x55/0x90\n vfs_get_tree+0x46/0x180\n do_new_mount+0x1b0/0x2e0\n path_mount+0x6ee/0x740\n do_mount+0x98/0xe0\n __do_sys_mount+0x148/0x180\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n-\u003e #1 (\u0026ret_buf-\u003eses_lock){+.+.}-{3:3}:\n validate_chain+0x1cf/0x270\n __lock_acquire+0x60e/0x780\n lock_acquire.part.0+0xb4/0x1f0\n _raw_spin_lock+0x2f/0x40\n cifs_match_super+0x101/0x320\n sget+0xab/0x270\n cifs_smb3_do_mount+0x1e0/0x460\n smb3_get_tree+0x55/0x90\n vfs_get_tree+0x46/0x180\n do_new_mount+0x1b0/0x2e0\n path_mount+0x6ee/0x740\n do_mount+0x98/0xe0\n __do_sys_mount+0x148/0x180\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n-\u003e #0 (\u0026tcp_ses-\u003esrv_lock){+.+.}-{3:3}:\n check_noncircular+0x95/0xc0\n check_prev_add+0x115/0x2f0\n validate_chain+0x1cf/0x270\n __lock_acquire+0x60e/0x780\n lock_acquire.part.0+0xb4/0x1f0\n _raw_spin_lock+0x2f/0x40\n cifs_signal_cifsd_for_reconnect+0x134/0x200\n __cifs_reconnect+0x8f/0x500\n cifs_handle_standard+0x112/0x280\n cifs_demultiplex_thread+0x64d/0xbc0\n kthread+0x2f7/0x310\n ret_from_fork+0x2a/0x230\n ret_from_fork_asm+0x1a/0x30\n\nother info that might help us debug this:\n\nChain exists of:\n \u0026tcp_ses-\u003esrv_lock --\u003e \u0026ret_buf-\u003eses_lock --\u003e \u0026ret_buf-\u003echan_lock\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(\u0026ret_buf-\u003echan_lock);\n lock(\u0026ret_buf-\u003eses_lock);\n lock(\u0026ret_buf-\u003echan_lock);\n lock(\u0026tcp_ses-\u003esrv_lock);\n\n *** DEADLOCK ***\n\n3 locks held by cifsd/6055:\n #0: ffffffff857de398 (\u0026cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200\n #1: ffff888119c64060 (\u0026ret_buf-\u003eses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200\n #2: ffff888119c64330 (\u0026ret_buf-\u003echan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:02.889Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c82c7041258d96e3286f6790ab700e4edd3cc9e3" }, { "url": "https://git.kernel.org/stable/c/7f3ead8ebc0ef65b6c89a13912b4e80218425629" }, { "url": "https://git.kernel.org/stable/c/fe035dc78aa6ca8f862857d45beaf7a0e03206ca" }, { "url": "https://git.kernel.org/stable/c/711741f94ac3cf9f4e3aa73aa171e76d188c0819" } ], "title": "smb: client: fix potential deadlock when reconnecting channels", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38244", "datePublished": "2025-07-09T10:42:26.622Z", "dateReserved": "2025-04-16T04:51:23.996Z", "dateUpdated": "2025-07-28T04:16:02.889Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38256 (GCVE-0-2025-38256)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rsrc: fix folio unpinning
syzbot complains about an unmapping failure:
[ 108.070381][ T14] kernel BUG at mm/gup.c:71!
[ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
[ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025
[ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work
[ 108.174205][ T14] Call trace:
[ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P)
[ 108.178138][ T14] unpin_user_page+0x80/0x10c
[ 108.180189][ T14] io_release_ubuf+0x84/0xf8
[ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c
[ 108.184345][ T14] io_rsrc_data_free+0x148/0x298
[ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0
[ 108.188991][ T14] io_ring_ctx_free+0x48/0x480
[ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8
[ 108.193207][ T14] process_one_work+0x7e8/0x155c
[ 108.195431][ T14] worker_thread+0x958/0xed8
[ 108.197561][ T14] kthread+0x5fc/0x75c
[ 108.199362][ T14] ret_from_fork+0x10/0x20
We can pin a tail page of a folio, but then io_uring will try to unpin
the head page of the folio. While it should be fine in terms of keeping
the page actually alive, mm folks say it's wrong and triggers a debug
warning. Use unpin_user_folio() instead of unpin_user_page*.
[axboe: adapt to current tree, massage commit message]
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "io_uring/rsrc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "53fd75f25b223878b5fff14932e3a22f42b54f77", "status": "affected", "version": "a8edbb424b1391b077407c75d8f5d2ede77aa70d", "versionType": "git" }, { "lessThan": "11e7b7369e655e6131387b174218d7fa9557b3da", "status": "affected", "version": "a8edbb424b1391b077407c75d8f5d2ede77aa70d", "versionType": "git" }, { "lessThan": "5afb4bf9fc62d828647647ec31745083637132e4", "status": "affected", "version": "a8edbb424b1391b077407c75d8f5d2ede77aa70d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "io_uring/rsrc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.12" }, { "lessThan": "6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: fix folio unpinning\n\nsyzbot complains about an unmapping failure:\n\n[ 108.070381][ T14] kernel BUG at mm/gup.c:71!\n[ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025\n[ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work\n[ 108.174205][ T14] Call trace:\n[ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P)\n[ 108.178138][ T14] unpin_user_page+0x80/0x10c\n[ 108.180189][ T14] io_release_ubuf+0x84/0xf8\n[ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c\n[ 108.184345][ T14] io_rsrc_data_free+0x148/0x298\n[ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0\n[ 108.188991][ T14] io_ring_ctx_free+0x48/0x480\n[ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8\n[ 108.193207][ T14] process_one_work+0x7e8/0x155c\n[ 108.195431][ T14] worker_thread+0x958/0xed8\n[ 108.197561][ T14] kthread+0x5fc/0x75c\n[ 108.199362][ T14] ret_from_fork+0x10/0x20\n\nWe can pin a tail page of a folio, but then io_uring will try to unpin\nthe head page of the folio. While it should be fine in terms of keeping\nthe page actually alive, mm folks say it\u0027s wrong and triggers a debug\nwarning. Use unpin_user_folio() instead of unpin_user_page*.\n\n[axboe: adapt to current tree, massage commit message]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:20.912Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/53fd75f25b223878b5fff14932e3a22f42b54f77" }, { "url": "https://git.kernel.org/stable/c/11e7b7369e655e6131387b174218d7fa9557b3da" }, { "url": "https://git.kernel.org/stable/c/5afb4bf9fc62d828647647ec31745083637132e4" } ], "title": "io_uring/rsrc: fix folio unpinning", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38256", "datePublished": "2025-07-09T10:42:33.819Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:20.912Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38252 (GCVE-0-2025-38252)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cxl/ras: Fix CPER handler device confusion
By inspection, cxl_cper_handle_prot_err() is making a series of fragile
assumptions that can lead to crashes:
1/ It assumes that endpoints identified in the record are a CXL-type-3
device, nothing guarantees that.
2/ It assumes that the device is bound to the cxl_pci driver, nothing
guarantees that.
3/ Minor, it holds the device lock over the switch-port tracing for no
reason as the trace is 100% generated from data in the record.
Correct those by checking that the PCIe endpoint parents a cxl_memdev
before assuming the format of the driver data, and move the lock to where
it is required. Consequently this also makes the implementation ready for
CXL accelerators that are not bound to cxl_pci.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/cxl/core/ras.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4bcb8dd36e9e3fad6c22862ac5b6993df838309b", "status": "affected", "version": "36f257e3b0ba904f5a4e7fa8dafaa60e88cdd28c", "versionType": "git" }, { "lessThan": "3c70ec71abdaf4e4fa48cd8fdfbbd864d78235a8", "status": "affected", "version": "36f257e3b0ba904f5a4e7fa8dafaa60e88cdd28c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/cxl/core/ras.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/ras: Fix CPER handler device confusion\n\nBy inspection, cxl_cper_handle_prot_err() is making a series of fragile\nassumptions that can lead to crashes:\n\n1/ It assumes that endpoints identified in the record are a CXL-type-3\n device, nothing guarantees that.\n\n2/ It assumes that the device is bound to the cxl_pci driver, nothing\n guarantees that.\n\n3/ Minor, it holds the device lock over the switch-port tracing for no\n reason as the trace is 100% generated from data in the record.\n\nCorrect those by checking that the PCIe endpoint parents a cxl_memdev\nbefore assuming the format of the driver data, and move the lock to where\nit is required. Consequently this also makes the implementation ready for\nCXL accelerators that are not bound to cxl_pci." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:15.177Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4bcb8dd36e9e3fad6c22862ac5b6993df838309b" }, { "url": "https://git.kernel.org/stable/c/3c70ec71abdaf4e4fa48cd8fdfbbd864d78235a8" } ], "title": "cxl/ras: Fix CPER handler device confusion", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38252", "datePublished": "2025-07-09T10:42:31.477Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:15.177Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38243 (GCVE-0-2025-38243)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix invalid inode pointer dereferences during log replay
In a few places where we call read_one_inode(), if we get a NULL pointer
we end up jumping into an error path, or fallthrough in case of
__add_inode_ref(), where we then do something like this:
iput(&inode->vfs_inode);
which results in an invalid inode pointer that triggers an invalid memory
access, resulting in a crash.
Fix this by making sure we don't do such dereferences.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/tree-log.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "401d098f92ea69d8a75f8b845daf343e511681ba", "status": "affected", "version": "0502d1127436a69b8c2e7cf309ae0ebff3332668", "versionType": "git" }, { "lessThan": "ba8386d662cc51cc5382688bbf7a152b0b0b27cf", "status": "affected", "version": "b4c50cbb01a1b6901d2b94469636dd80fa93de81", "versionType": "git" }, { "lessThan": "2dcf838cf5c2f0f4501edaa1680fcad03618d760", "status": "affected", "version": "b4c50cbb01a1b6901d2b94469636dd80fa93de81", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/tree-log.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix invalid inode pointer dereferences during log replay\n\nIn a few places where we call read_one_inode(), if we get a NULL pointer\nwe end up jumping into an error path, or fallthrough in case of\n__add_inode_ref(), where we then do something like this:\n\n iput(\u0026inode-\u003evfs_inode);\n\nwhich results in an invalid inode pointer that triggers an invalid memory\naccess, resulting in a crash.\n\nFix this by making sure we don\u0027t do such dereferences." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:01.184Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/401d098f92ea69d8a75f8b845daf343e511681ba" }, { "url": "https://git.kernel.org/stable/c/ba8386d662cc51cc5382688bbf7a152b0b0b27cf" }, { "url": "https://git.kernel.org/stable/c/2dcf838cf5c2f0f4501edaa1680fcad03618d760" } ], "title": "btrfs: fix invalid inode pointer dereferences during log replay", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38243", "datePublished": "2025-07-09T10:42:26.014Z", "dateReserved": "2025-04-16T04:51:23.996Z", "dateUpdated": "2025-07-28T04:16:01.184Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38259 (GCVE-0-2025-38259)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wcd9335: Fix missing free of regulator supplies
Driver gets and enables all regulator supplies in probe path
(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup
in final error paths and in unbind (missing remove() callback). This
leads to leaked memory and unbalanced regulator enable count during
probe errors or unbind.
Fix this by converting entire code into devm_regulator_bulk_get_enable()
which also greatly simplifies the code.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 20aedafdf4926e7a957f8b302a18c8fb75c7e332 Version: 20aedafdf4926e7a957f8b302a18c8fb75c7e332 Version: 20aedafdf4926e7a957f8b302a18c8fb75c7e332 Version: 20aedafdf4926e7a957f8b302a18c8fb75c7e332 Version: 20aedafdf4926e7a957f8b302a18c8fb75c7e332 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "sound/soc/codecs/wcd9335.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "edadaf4239c14dc8a19ea7f60b97d5524d93c29b", "status": "affected", "version": "20aedafdf4926e7a957f8b302a18c8fb75c7e332", "versionType": "git" }, { "lessThan": "9830ef1803a5bc50b4a984a06cf23142cd46229d", "status": "affected", "version": "20aedafdf4926e7a957f8b302a18c8fb75c7e332", "versionType": "git" }, { "lessThan": "a8795f3cd289cd958f6396a1b43ba46fa8e22a2e", "status": "affected", "version": "20aedafdf4926e7a957f8b302a18c8fb75c7e332", "versionType": "git" }, { "lessThan": "b86280aaa23c1c0f31bcaa600d35ddc45bc38b7a", "status": "affected", "version": "20aedafdf4926e7a957f8b302a18c8fb75c7e332", "versionType": "git" }, { "lessThan": "9079db287fc3e38e040b0edeb0a25770bb679c8e", "status": "affected", "version": "20aedafdf4926e7a957f8b302a18c8fb75c7e332", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "sound/soc/codecs/wcd9335.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.1" }, { "lessThan": "5.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.143", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.143", "versionStartIncluding": "5.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "5.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "5.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "5.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.1", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd9335: Fix missing free of regulator supplies\n\nDriver gets and enables all regulator supplies in probe path\n(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup\nin final error paths and in unbind (missing remove() callback). This\nleads to leaked memory and unbalanced regulator enable count during\nprobe errors or unbind.\n\nFix this by converting entire code into devm_regulator_bulk_get_enable()\nwhich also greatly simplifies the code." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:25.447Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/edadaf4239c14dc8a19ea7f60b97d5524d93c29b" }, { "url": "https://git.kernel.org/stable/c/9830ef1803a5bc50b4a984a06cf23142cd46229d" }, { "url": "https://git.kernel.org/stable/c/a8795f3cd289cd958f6396a1b43ba46fa8e22a2e" }, { "url": "https://git.kernel.org/stable/c/b86280aaa23c1c0f31bcaa600d35ddc45bc38b7a" }, { "url": "https://git.kernel.org/stable/c/9079db287fc3e38e040b0edeb0a25770bb679c8e" } ], "title": "ASoC: codecs: wcd9335: Fix missing free of regulator supplies", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38259", "datePublished": "2025-07-09T10:42:35.602Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:25.447Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38241 (GCVE-0-2025-38241)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/shmem, swap: fix softlockup with mTHP swapin
Following softlockup can be easily reproduced on my test machine with:
echo always > /sys/kernel/mm/transparent_hugepage/hugepages-64kB/enabled
swapon /dev/zram0 # zram0 is a 48G swap device
mkdir -p /sys/fs/cgroup/memory/test
echo 1G > /sys/fs/cgroup/test/memory.max
echo $BASHPID > /sys/fs/cgroup/test/cgroup.procs
while true; do
dd if=/dev/zero of=/tmp/test.img bs=1M count=5120
cat /tmp/test.img > /dev/null
rm /tmp/test.img
done
Then after a while:
watchdog: BUG: soft lockup - CPU#0 stuck for 763s! [cat:5787]
Modules linked in: zram virtiofs
CPU: 0 UID: 0 PID: 5787 Comm: cat Kdump: loaded Tainted: G L 6.15.0.orig-gf3021d9246bc-dirty #118 PREEMPT(voluntary)·
Tainted: [L]=SOFTLOCKUP
Hardware name: Red Hat KVM/RHEL-AV, BIOS 0.0.0 02/06/2015
RIP: 0010:mpol_shared_policy_lookup+0xd/0x70
Code: e9 b8 b4 ff ff 31 c0 c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 54 55 53 <48> 8b 1f 48 85 db 74 41 4c 8d 67 08 48 89 fb 48 89 f5 4c 89 e7 e8
RSP: 0018:ffffc90002b1fc28 EFLAGS: 00000202
RAX: 00000000001c20ca RBX: 0000000000724e1e RCX: 0000000000000001
RDX: ffff888118e214c8 RSI: 0000000000057d42 RDI: ffff888118e21518
RBP: 000000000002bec8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000bf4 R11: 0000000000000000 R12: 0000000000000001
R13: 00000000001c20ca R14: 00000000001c20ca R15: 0000000000000000
FS: 00007f03f995c740(0000) GS:ffff88a07ad9a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f03f98f1000 CR3: 0000000144626004 CR4: 0000000000770eb0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
shmem_alloc_folio+0x31/0xc0
shmem_swapin_folio+0x309/0xcf0
? filemap_get_entry+0x117/0x1e0
? xas_load+0xd/0xb0
? filemap_get_entry+0x101/0x1e0
shmem_get_folio_gfp+0x2ed/0x5b0
shmem_file_read_iter+0x7f/0x2e0
vfs_read+0x252/0x330
ksys_read+0x68/0xf0
do_syscall_64+0x4c/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f03f9a46991
Code: 00 48 8b 15 81 14 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d 35 97 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec
RSP: 002b:00007fff3c52bd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f03f9a46991
RDX: 0000000000040000 RSI: 00007f03f98ba000 RDI: 0000000000000003
RBP: 00007fff3c52bd50 R08: 0000000000000000 R09: 00007f03f9b9a380
R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000
R13: 00007f03f98ba000 R14: 0000000000000003 R15: 0000000000000000
</TASK>
The reason is simple, readahead brought some order 0 folio in swap cache,
and the swapin mTHP folio being allocated is in conflict with it, so
swapcache_prepare fails and causes shmem_swap_alloc_folio to return
-EEXIST, and shmem simply retries again and again causing this loop.
Fix it by applying a similar fix for anon mTHP swapin.
The performance change is very slight, time of swapin 10g zero folios
with shmem (test for 12 times):
Before: 2.47s
After: 2.48s
[kasong@tencent.com: add comment]
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/memory.c", "mm/shmem.c", "mm/swap.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1283dfc1e0cd52cf525c2cb1b59a6f9183aab7ca", "status": "affected", "version": "1dd44c0af4fa1e80a4e82faa10cbf5d22da40362", "versionType": "git" }, { "lessThan": "a05dd8ae5cbb1cb45f349922cfea4f548a5e5d6f", "status": "affected", "version": "1dd44c0af4fa1e80a4e82faa10cbf5d22da40362", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/memory.c", "mm/shmem.c", "mm/swap.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.14" }, { "lessThan": "6.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/shmem, swap: fix softlockup with mTHP swapin\n\nFollowing softlockup can be easily reproduced on my test machine with:\n\necho always \u003e /sys/kernel/mm/transparent_hugepage/hugepages-64kB/enabled\nswapon /dev/zram0 # zram0 is a 48G swap device\nmkdir -p /sys/fs/cgroup/memory/test\necho 1G \u003e /sys/fs/cgroup/test/memory.max\necho $BASHPID \u003e /sys/fs/cgroup/test/cgroup.procs\nwhile true; do\n dd if=/dev/zero of=/tmp/test.img bs=1M count=5120\n cat /tmp/test.img \u003e /dev/null\n rm /tmp/test.img\ndone\n\nThen after a while:\nwatchdog: BUG: soft lockup - CPU#0 stuck for 763s! [cat:5787]\nModules linked in: zram virtiofs\nCPU: 0 UID: 0 PID: 5787 Comm: cat Kdump: loaded Tainted: G L 6.15.0.orig-gf3021d9246bc-dirty #118 PREEMPT(voluntary)\u00b7\nTainted: [L]=SOFTLOCKUP\nHardware name: Red Hat KVM/RHEL-AV, BIOS 0.0.0 02/06/2015\nRIP: 0010:mpol_shared_policy_lookup+0xd/0x70\nCode: e9 b8 b4 ff ff 31 c0 c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 54 55 53 \u003c48\u003e 8b 1f 48 85 db 74 41 4c 8d 67 08 48 89 fb 48 89 f5 4c 89 e7 e8\nRSP: 0018:ffffc90002b1fc28 EFLAGS: 00000202\nRAX: 00000000001c20ca RBX: 0000000000724e1e RCX: 0000000000000001\nRDX: ffff888118e214c8 RSI: 0000000000057d42 RDI: ffff888118e21518\nRBP: 000000000002bec8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000bf4 R11: 0000000000000000 R12: 0000000000000001\nR13: 00000000001c20ca R14: 00000000001c20ca R15: 0000000000000000\nFS: 00007f03f995c740(0000) GS:ffff88a07ad9a000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f03f98f1000 CR3: 0000000144626004 CR4: 0000000000770eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n shmem_alloc_folio+0x31/0xc0\n shmem_swapin_folio+0x309/0xcf0\n ? filemap_get_entry+0x117/0x1e0\n ? xas_load+0xd/0xb0\n ? filemap_get_entry+0x101/0x1e0\n shmem_get_folio_gfp+0x2ed/0x5b0\n shmem_file_read_iter+0x7f/0x2e0\n vfs_read+0x252/0x330\n ksys_read+0x68/0xf0\n do_syscall_64+0x4c/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f03f9a46991\nCode: 00 48 8b 15 81 14 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d 35 97 10 00 00 74 13 31 c0 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec\nRSP: 002b:00007fff3c52bd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f03f9a46991\nRDX: 0000000000040000 RSI: 00007f03f98ba000 RDI: 0000000000000003\nRBP: 00007fff3c52bd50 R08: 0000000000000000 R09: 00007f03f9b9a380\nR10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000\nR13: 00007f03f98ba000 R14: 0000000000000003 R15: 0000000000000000\n \u003c/TASK\u003e\n\nThe reason is simple, readahead brought some order 0 folio in swap cache,\nand the swapin mTHP folio being allocated is in conflict with it, so\nswapcache_prepare fails and causes shmem_swap_alloc_folio to return\n-EEXIST, and shmem simply retries again and again causing this loop.\n\nFix it by applying a similar fix for anon mTHP swapin.\n\nThe performance change is very slight, time of swapin 10g zero folios\nwith shmem (test for 12 times):\nBefore: 2.47s\nAfter: 2.48s\n\n[kasong@tencent.com: add comment]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:15:58.148Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1283dfc1e0cd52cf525c2cb1b59a6f9183aab7ca" }, { "url": "https://git.kernel.org/stable/c/a05dd8ae5cbb1cb45f349922cfea4f548a5e5d6f" } ], "title": "mm/shmem, swap: fix softlockup with mTHP swapin", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38241", "datePublished": "2025-07-09T10:42:24.777Z", "dateReserved": "2025-04-16T04:51:23.996Z", "dateUpdated": "2025-07-28T04:15:58.148Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38257 (GCVE-0-2025-38257)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/pkey: Prevent overflow in size calculation for memdup_user()
Number of apqn target list entries contained in 'nr_apqns' variable is
determined by userspace via an ioctl call so the result of the product in
calculation of size passed to memdup_user() may overflow.
In this case the actual size of the allocated area and the value
describing it won't be in sync leading to various types of unpredictable
behaviour later.
Use a proper memdup_array_user() helper which returns an error if an
overflow is detected. Note that it is different from when nr_apqns is
initially zero - that case is considered valid and should be handled in
subsequent pkey_handler implementations.
Found by Linux Verification Center (linuxtesting.org).
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d Version: f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d Version: f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d Version: f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d Version: f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d Version: f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/s390/crypto/pkey_api.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ad1bdd24a02d5a8d119af8e4cd50933780a6d29f", "status": "affected", "version": "f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d", "versionType": "git" }, { "lessThan": "faa1ab4a23c42e34dc000ef4977b751d94d5148c", "status": "affected", "version": "f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d", "versionType": "git" }, { "lessThan": "88f3869649edbc4a13f6c2877091f81cd5a50f05", "status": "affected", "version": "f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d", "versionType": "git" }, { "lessThan": "f855b119e62b004a5044ed565f2a2b368c4d3f16", "status": "affected", "version": "f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d", "versionType": "git" }, { "lessThan": "73483ca7e07a5e39bdf612eec9d3d293e8bef649", "status": "affected", "version": "f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d", "versionType": "git" }, { "lessThan": "7360ee47599af91a1d5f4e74d635d9408a54e489", "status": "affected", "version": "f2bbc96e7cfad3891b7bf9bd3e566b9b7ab4553d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/s390/crypto/pkey_api.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.4" }, { "lessThan": "5.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.187", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.143", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.187", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.143", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Prevent overflow in size calculation for memdup_user()\n\nNumber of apqn target list entries contained in \u0027nr_apqns\u0027 variable is\ndetermined by userspace via an ioctl call so the result of the product in\ncalculation of size passed to memdup_user() may overflow.\n\nIn this case the actual size of the allocated area and the value\ndescribing it won\u0027t be in sync leading to various types of unpredictable\nbehaviour later.\n\nUse a proper memdup_array_user() helper which returns an error if an\noverflow is detected. Note that it is different from when nr_apqns is\ninitially zero - that case is considered valid and should be handled in\nsubsequent pkey_handler implementations.\n\nFound by Linux Verification Center (linuxtesting.org)." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:22.240Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ad1bdd24a02d5a8d119af8e4cd50933780a6d29f" }, { "url": "https://git.kernel.org/stable/c/faa1ab4a23c42e34dc000ef4977b751d94d5148c" }, { "url": "https://git.kernel.org/stable/c/88f3869649edbc4a13f6c2877091f81cd5a50f05" }, { "url": "https://git.kernel.org/stable/c/f855b119e62b004a5044ed565f2a2b368c4d3f16" }, { "url": "https://git.kernel.org/stable/c/73483ca7e07a5e39bdf612eec9d3d293e8bef649" }, { "url": "https://git.kernel.org/stable/c/7360ee47599af91a1d5f4e74d635d9408a54e489" } ], "title": "s390/pkey: Prevent overflow in size calculation for memdup_user()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38257", "datePublished": "2025-07-09T10:42:34.395Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:22.240Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38258 (GCVE-0-2025-38258)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write
memcg_path_store() assigns a newly allocated memory buffer to
filter->memcg_path, without deallocating the previously allocated and
assigned memory buffer. As a result, users can leak kernel memory by
continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak
by deallocating the previously set memory buffer.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/damon/sysfs-schemes.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "490a43d07f1663d827e802720d30cbc0494e4f81", "status": "affected", "version": "7ee161f18b5da5170b5d6a51aace49d312099128", "versionType": "git" }, { "lessThan": "c5d5b0047b0c0f304608f3824139f7bd34c48413", "status": "affected", "version": "7ee161f18b5da5170b5d6a51aace49d312099128", "versionType": "git" }, { "lessThan": "4a158ac0538dd5695eeaa00aa0720d711f3e4ef1", "status": "affected", "version": "7ee161f18b5da5170b5d6a51aace49d312099128", "versionType": "git" }, { "lessThan": "4f489fe6afb395dbc79840efa3c05440b760d883", "status": "affected", "version": "7ee161f18b5da5170b5d6a51aace49d312099128", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/damon/sysfs-schemes.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter-\u003ememcg_path on write\n\nmemcg_path_store() assigns a newly allocated memory buffer to\nfilter-\u003ememcg_path, without deallocating the previously allocated and\nassigned memory buffer. As a result, users can leak kernel memory by\ncontinuously writing a data to memcg_path DAMOS sysfs file. Fix the leak\nby deallocating the previously set memory buffer." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:23.939Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/490a43d07f1663d827e802720d30cbc0494e4f81" }, { "url": "https://git.kernel.org/stable/c/c5d5b0047b0c0f304608f3824139f7bd34c48413" }, { "url": "https://git.kernel.org/stable/c/4a158ac0538dd5695eeaa00aa0720d711f3e4ef1" }, { "url": "https://git.kernel.org/stable/c/4f489fe6afb395dbc79840efa3c05440b760d883" } ], "title": "mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter-\u003ememcg_path on write", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38258", "datePublished": "2025-07-09T10:42:35.000Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:23.939Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38261 (GCVE-0-2025-38261)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: save the SR_SUM status over switches
When threads/tasks are switched we need to ensure the old execution's
SR_SUM state is saved and the new thread has the old SR_SUM state
restored.
The issue was seen under heavy load especially with the syz-stress tool
running, with crashes as follows in schedule_tail:
Unable to handle kernel access to user memory without uaccess routines
at virtual address 000000002749f0d0
Oops [#1]
Modules linked in:
CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted
5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
Hardware name: riscv-virtio,qemu (DT)
epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
ra : task_pid_vnr include/linux/sched.h:1421 [inline]
ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264
epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0
gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000
t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0
s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003
a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00
a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba
s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0
s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850
s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8
s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2
t5 : ffffffc4043cafba t6 : 0000000000040000
status: 0000000000000120 badaddr: 000000002749f0d0 cause:
000000000000000f
Call Trace:
[<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
[<ffffffe000005570>] ret_from_exception+0x0/0x14
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace b5f8f9231dc87dda ]---
The issue comes from the put_user() in schedule_tail
(kernel/sched/core.c) doing the following:
asmlinkage __visible void schedule_tail(struct task_struct *prev)
{
...
if (current->set_child_tid)
put_user(task_pid_vnr(current), current->set_child_tid);
...
}
the put_user() macro causes the code sequence to come out as follows:
1: __enable_user_access()
2: reg = task_pid_vnr(current);
3: *current->set_child_tid = reg;
4: __disable_user_access()
The problem is that we may have a sleeping function as argument which
could clear SR_SUM causing the panic above. This was fixed by
evaluating the argument of the put_user() macro outside the user-enabled
section in commit 285a76bb2cf5 ("riscv: evaluate put_user() arg before
enabling user access")"
In order for riscv to take advantage of unsafe_get/put_XXX() macros and
to avoid the same issue we had with put_user() and sleeping functions we
must ensure code flow can go through switch_to() from within a region of
code with SR_SUM enabled and come back with SR_SUM still enabled. This
patch addresses the problem allowing future work to enable full use of
unsafe_get/put_XXX() macros without needing to take a CSR bit flip cost
on every access. Make switch_to() save and restore SR_SUM.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/riscv/include/asm/processor.h", "arch/riscv/kernel/asm-offsets.c", "arch/riscv/kernel/entry.S" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "69ea599a8dab93a620c92c255be4239a06290a77", "status": "affected", "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446", "versionType": "git" }, { "lessThan": "788aa64c01f1262310b4c1fb827a36df170d86ea", "status": "affected", "version": "76d2a0493a17d4c8ecc781366850c3c4f8e1a446", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/riscv/include/asm/processor.h", "arch/riscv/kernel/asm-offsets.c", "arch/riscv/kernel/entry.S" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.15" }, { "lessThan": "4.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "4.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: save the SR_SUM status over switches\n\nWhen threads/tasks are switched we need to ensure the old execution\u0027s\nSR_SUM state is saved and the new thread has the old SR_SUM state\nrestored.\n\nThe issue was seen under heavy load especially with the syz-stress tool\nrunning, with crashes as follows in schedule_tail:\n\nUnable to handle kernel access to user memory without uaccess routines\nat virtual address 000000002749f0d0\nOops [#1]\nModules linked in:\nCPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted\n5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0\nHardware name: riscv-virtio,qemu (DT)\nepc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n ra : task_pid_vnr include/linux/sched.h:1421 [inline]\n ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264\nepc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0\n gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000\n t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0\n s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003\n a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00\n a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba\n s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0\n s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850\n s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8\n s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2\n t5 : ffffffc4043cafba t6 : 0000000000040000\nstatus: 0000000000000120 badaddr: 000000002749f0d0 cause:\n000000000000000f\nCall Trace:\n[\u003cffffffe00008c8b0\u003e] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n[\u003cffffffe000005570\u003e] ret_from_exception+0x0/0x14\nDumping ftrace buffer:\n (ftrace buffer empty)\n---[ end trace b5f8f9231dc87dda ]---\n\nThe issue comes from the put_user() in schedule_tail\n(kernel/sched/core.c) doing the following:\n\nasmlinkage __visible void schedule_tail(struct task_struct *prev)\n{\n...\n if (current-\u003eset_child_tid)\n put_user(task_pid_vnr(current), current-\u003eset_child_tid);\n...\n}\n\nthe put_user() macro causes the code sequence to come out as follows:\n\n1:\t__enable_user_access()\n2:\treg = task_pid_vnr(current);\n3:\t*current-\u003eset_child_tid = reg;\n4:\t__disable_user_access()\n\nThe problem is that we may have a sleeping function as argument which\ncould clear SR_SUM causing the panic above. This was fixed by\nevaluating the argument of the put_user() macro outside the user-enabled\nsection in commit 285a76bb2cf5 (\"riscv: evaluate put_user() arg before\nenabling user access\")\"\n\nIn order for riscv to take advantage of unsafe_get/put_XXX() macros and\nto avoid the same issue we had with put_user() and sleeping functions we\nmust ensure code flow can go through switch_to() from within a region of\ncode with SR_SUM enabled and come back with SR_SUM still enabled. This\npatch addresses the problem allowing future work to enable full use of\nunsafe_get/put_XXX() macros without needing to take a CSR bit flip cost\non every access. Make switch_to() save and restore SR_SUM." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:33.410Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/69ea599a8dab93a620c92c255be4239a06290a77" }, { "url": "https://git.kernel.org/stable/c/788aa64c01f1262310b4c1fb827a36df170d86ea" } ], "title": "riscv: save the SR_SUM status over switches", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38261", "datePublished": "2025-07-09T10:42:36.810Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:33.410Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38238 (GCVE-0-2025-38238)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out
When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to
send ABTS for each of them. On send completion, this causes an attempt to
free the same frame twice that leads to a crash.
Fix crash by allocating separate frames for RHBA and RPA, and modify ABTS
logic accordingly.
Tested by checking MDS for FDMI information.
Tested by using instrumented driver to:
- Drop PLOGI response
- Drop RHBA response
- Drop RPA response
- Drop RHBA and RPA response
- Drop PLOGI response + ABTS response
- Drop RHBA response + ABTS response
- Drop RPA response + ABTS response
- Drop RHBA and RPA response + ABTS response for both of them
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/scsi/fnic/fdls_disc.c", "drivers/scsi/fnic/fnic.h", "drivers/scsi/fnic/fnic_fdls.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "09679e9abedfbc5a2590759a1a7893c1c26e6044", "status": "affected", "version": "09c1e6ab4ab2a107d96f119950dc330e446dc2b0", "versionType": "git" }, { "lessThan": "a35b29bdedb4d2ae3160d4d6684a6f1ecd9ca7c2", "status": "affected", "version": "09c1e6ab4ab2a107d96f119950dc330e446dc2b0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/scsi/fnic/fdls_disc.c", "drivers/scsi/fnic/fnic.h", "drivers/scsi/fnic/fnic_fdls.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.14" }, { "lessThan": "6.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out\n\nWhen both the RHBA and RPA FDMI requests time out, fnic reuses a frame to\nsend ABTS for each of them. On send completion, this causes an attempt to\nfree the same frame twice that leads to a crash.\n\nFix crash by allocating separate frames for RHBA and RPA, and modify ABTS\nlogic accordingly.\n\nTested by checking MDS for FDMI information.\n\nTested by using instrumented driver to:\n\n - Drop PLOGI response\n - Drop RHBA response\n - Drop RPA response\n - Drop RHBA and RPA response\n - Drop PLOGI response + ABTS response\n - Drop RHBA response + ABTS response\n - Drop RPA response + ABTS response\n - Drop RHBA and RPA response + ABTS response for both of them" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:15:55.539Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/09679e9abedfbc5a2590759a1a7893c1c26e6044" }, { "url": "https://git.kernel.org/stable/c/a35b29bdedb4d2ae3160d4d6684a6f1ecd9ca7c2" } ], "title": "scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38238", "datePublished": "2025-07-09T10:42:23.538Z", "dateReserved": "2025-04-16T04:51:23.996Z", "dateUpdated": "2025-07-28T04:15:55.539Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38254 (GCVE-0-2025-38254)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add sanity checks for drm_edid_raw()
When EDID is retrieved via drm_edid_raw(), it doesn't guarantee to
return proper EDID bytes the caller wants: it may be either NULL (that
leads to an Oops) or with too long bytes over the fixed size raw_edid
array (that may lead to memory corruption). The latter was reported
actually when connected with a bad adapter.
Add sanity checks for drm_edid_raw() to address the above corner
cases, and return EDID_BAD_INPUT accordingly.
(cherry picked from commit 648d3f4d209725d51900d6a3ed46b7b600140cdf)
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4b63507d7cd243574753c6b91f68516d9103f1de", "status": "affected", "version": "48edb2a4256eedf6c92eecf2bc7744e6ecb44b5e", "versionType": "git" }, { "lessThan": "6847b3b6e84ef37451c074e6a8db3fbd250c8dbf", "status": "affected", "version": "48edb2a4256eedf6c92eecf2bc7744e6ecb44b5e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.13" }, { "lessThan": "6.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.13", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add sanity checks for drm_edid_raw()\n\nWhen EDID is retrieved via drm_edid_raw(), it doesn\u0027t guarantee to\nreturn proper EDID bytes the caller wants: it may be either NULL (that\nleads to an Oops) or with too long bytes over the fixed size raw_edid\narray (that may lead to memory corruption). The latter was reported\nactually when connected with a bad adapter.\n\nAdd sanity checks for drm_edid_raw() to address the above corner\ncases, and return EDID_BAD_INPUT accordingly.\n\n(cherry picked from commit 648d3f4d209725d51900d6a3ed46b7b600140cdf)" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:18.261Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4b63507d7cd243574753c6b91f68516d9103f1de" }, { "url": "https://git.kernel.org/stable/c/6847b3b6e84ef37451c074e6a8db3fbd250c8dbf" } ], "title": "drm/amd/display: Add sanity checks for drm_edid_raw()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38254", "datePublished": "2025-07-09T10:42:32.641Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:18.261Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38248 (GCVE-0-2025-38248)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bridge: mcast: Fix use-after-free during router port configuration
The bridge maintains a global list of ports behind which a multicast
router resides. The list is consulted during forwarding to ensure
multicast packets are forwarded to these ports even if the ports are not
member in the matching MDB entry.
When per-VLAN multicast snooping is enabled, the per-port multicast
context is disabled on each port and the port is removed from the global
router port list:
# ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1
# ip link add name dummy1 up master br1 type dummy
# ip link set dev dummy1 type bridge_slave mcast_router 2
$ bridge -d mdb show | grep router
router ports on br1: dummy1
# ip link set dev br1 type bridge mcast_vlan_snooping 1
$ bridge -d mdb show | grep router
However, the port can be re-added to the global list even when per-VLAN
multicast snooping is enabled:
# ip link set dev dummy1 type bridge_slave mcast_router 0
# ip link set dev dummy1 type bridge_slave mcast_router 2
$ bridge -d mdb show | grep router
router ports on br1: dummy1
Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement
br_multicast_{enable, disable}_port functions"), when per-VLAN multicast
snooping is enabled, multicast disablement on a port will disable the
per-{port, VLAN} multicast contexts and not the per-port one. As a
result, a port will remain in the global router port list even after it
is deleted. This will lead to a use-after-free [1] when the list is
traversed (when adding a new port to the list, for example):
# ip link del dev dummy1
# ip link add name dummy2 up master br1 type dummy
# ip link set dev dummy2 type bridge_slave mcast_router 2
Similarly, stale entries can also be found in the per-VLAN router port
list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}
contexts are disabled on each port and the port is removed from the
per-VLAN router port list:
# ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1
# ip link add name dummy1 up master br1 type dummy
# bridge vlan add vid 2 dev dummy1
# bridge vlan global set vid 2 dev br1 mcast_snooping 1
# bridge vlan set vid 2 dev dummy1 mcast_router 2
$ bridge vlan global show dev br1 vid 2 | grep router
router ports: dummy1
# ip link set dev br1 type bridge mcast_vlan_snooping 0
$ bridge vlan global show dev br1 vid 2 | grep router
However, the port can be re-added to the per-VLAN list even when
per-VLAN multicast snooping is disabled:
# bridge vlan set vid 2 dev dummy1 mcast_router 0
# bridge vlan set vid 2 dev dummy1 mcast_router 2
$ bridge vlan global show dev br1 vid 2 | grep router
router ports: dummy1
When the VLAN is deleted from the port, the per-{port, VLAN} multicast
context will not be disabled since multicast snooping is not enabled
on the VLAN. As a result, the port will remain in the per-VLAN router
port list even after it is no longer member in the VLAN. This will lead
to a use-after-free [2] when the list is traversed (when adding a new
port to the list, for example):
# ip link add name dummy2 up master br1 type dummy
# bridge vlan add vid 2 dev dummy2
# bridge vlan del vid 2 dev dummy1
# bridge vlan set vid 2 dev dummy2 mcast_router 2
Fix these issues by removing the port from the relevant (global or
per-VLAN) router port list in br_multicast_port_ctx_deinit(). The
function is invoked during port deletion with the per-port multicast
context and during VLAN deletion with the per-{port, VLAN} multicast
context.
Note that deleting the multicast router timer is not enough as it only
takes care of the temporary multicast router states (1 or 3) and not the
permanent one (2).
[1]
BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560
Write of size 8 at addr ffff888004a67328 by task ip/384
[...]
Call Trace:
<TASK>
dump_stack
---truncated---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bridge/br_multicast.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f05a4f9e959e0fc098046044c650acf897ea52d2", "status": "affected", "version": "2796d846d74a18cc6563e96eff8bf28c5e06f912", "versionType": "git" }, { "lessThan": "7544f3f5b0b58c396f374d060898b5939da31709", "status": "affected", "version": "2796d846d74a18cc6563e96eff8bf28c5e06f912", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bridge/br_multicast.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mcast: Fix use-after-free during router port configuration\n\nThe bridge maintains a global list of ports behind which a multicast\nrouter resides. The list is consulted during forwarding to ensure\nmulticast packets are forwarded to these ports even if the ports are not\nmember in the matching MDB entry.\n\nWhen per-VLAN multicast snooping is enabled, the per-port multicast\ncontext is disabled on each port and the port is removed from the global\nrouter port list:\n\n # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1\n # ip link add name dummy1 up master br1 type dummy\n # ip link set dev dummy1 type bridge_slave mcast_router 2\n $ bridge -d mdb show | grep router\n router ports on br1: dummy1\n # ip link set dev br1 type bridge mcast_vlan_snooping 1\n $ bridge -d mdb show | grep router\n\nHowever, the port can be re-added to the global list even when per-VLAN\nmulticast snooping is enabled:\n\n # ip link set dev dummy1 type bridge_slave mcast_router 0\n # ip link set dev dummy1 type bridge_slave mcast_router 2\n $ bridge -d mdb show | grep router\n router ports on br1: dummy1\n\nSince commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement\nbr_multicast_{enable, disable}_port functions\"), when per-VLAN multicast\nsnooping is enabled, multicast disablement on a port will disable the\nper-{port, VLAN} multicast contexts and not the per-port one. As a\nresult, a port will remain in the global router port list even after it\nis deleted. This will lead to a use-after-free [1] when the list is\ntraversed (when adding a new port to the list, for example):\n\n # ip link del dev dummy1\n # ip link add name dummy2 up master br1 type dummy\n # ip link set dev dummy2 type bridge_slave mcast_router 2\n\nSimilarly, stale entries can also be found in the per-VLAN router port\nlist. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}\ncontexts are disabled on each port and the port is removed from the\nper-VLAN router port list:\n\n # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1\n # ip link add name dummy1 up master br1 type dummy\n # bridge vlan add vid 2 dev dummy1\n # bridge vlan global set vid 2 dev br1 mcast_snooping 1\n # bridge vlan set vid 2 dev dummy1 mcast_router 2\n $ bridge vlan global show dev br1 vid 2 | grep router\n router ports: dummy1\n # ip link set dev br1 type bridge mcast_vlan_snooping 0\n $ bridge vlan global show dev br1 vid 2 | grep router\n\nHowever, the port can be re-added to the per-VLAN list even when\nper-VLAN multicast snooping is disabled:\n\n # bridge vlan set vid 2 dev dummy1 mcast_router 0\n # bridge vlan set vid 2 dev dummy1 mcast_router 2\n $ bridge vlan global show dev br1 vid 2 | grep router\n router ports: dummy1\n\nWhen the VLAN is deleted from the port, the per-{port, VLAN} multicast\ncontext will not be disabled since multicast snooping is not enabled\non the VLAN. As a result, the port will remain in the per-VLAN router\nport list even after it is no longer member in the VLAN. This will lead\nto a use-after-free [2] when the list is traversed (when adding a new\nport to the list, for example):\n\n # ip link add name dummy2 up master br1 type dummy\n # bridge vlan add vid 2 dev dummy2\n # bridge vlan del vid 2 dev dummy1\n # bridge vlan set vid 2 dev dummy2 mcast_router 2\n\nFix these issues by removing the port from the relevant (global or\nper-VLAN) router port list in br_multicast_port_ctx_deinit(). The\nfunction is invoked during port deletion with the per-port multicast\ncontext and during VLAN deletion with the per-{port, VLAN} multicast\ncontext.\n\nNote that deleting the multicast router timer is not enough as it only\ntakes care of the temporary multicast router states (1 or 3) and not the\npermanent one (2).\n\n[1]\nBUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560\nWrite of size 8 at addr ffff888004a67328 by task ip/384\n[...]\nCall Trace:\n \u003cTASK\u003e\n dump_stack\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:09.338Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f05a4f9e959e0fc098046044c650acf897ea52d2" }, { "url": "https://git.kernel.org/stable/c/7544f3f5b0b58c396f374d060898b5939da31709" } ], "title": "bridge: mcast: Fix use-after-free during router port configuration", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38248", "datePublished": "2025-07-09T10:42:29.133Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:09.338Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38260 (GCVE-0-2025-38260)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: handle csum tree error with rescue=ibadroots correctly
[BUG]
There is syzbot based reproducer that can crash the kernel, with the
following call trace: (With some debug output added)
DEBUG: rescue=ibadroots parsed
BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)
BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8
BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm
BTRFS info (device loop0): using free-space-tree
BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0
DEBUG: read tree root path failed for tree csum, ret=-5
BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0
BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0
process 'repro' launched './file2' with NULL argv: empty string added
DEBUG: no csum root, idatacsums=0 ibadroots=134217728
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]
CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]
Call Trace:
<TASK>
btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]
btrfs_submit_bbio+0x43e/0x1a80 [btrfs]
submit_one_bio+0xde/0x160 [btrfs]
btrfs_readahead+0x498/0x6a0 [btrfs]
read_pages+0x1c3/0xb20
page_cache_ra_order+0x4b5/0xc20
filemap_get_pages+0x2d3/0x19e0
filemap_read+0x314/0xde0
__kernel_read+0x35b/0x900
bprm_execve+0x62e/0x1140
do_execveat_common.isra.0+0x3fc/0x520
__x64_sys_execveat+0xdc/0x130
do_syscall_64+0x54/0x1d0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
---[ end trace 0000000000000000 ]---
[CAUSE]
Firstly the fs has a corrupted csum tree root, thus to mount the fs we
have to go "ro,rescue=ibadroots" mount option.
Normally with that mount option, a bad csum tree root should set
BTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will
ignore csum search.
But in this particular case, we have the following call trace that
caused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:
load_global_roots_objectid():
ret = btrfs_search_slot();
/* Succeeded */
btrfs_item_key_to_cpu()
found = true;
/* We found the root item for csum tree. */
root = read_tree_root_path();
if (IS_ERR(root)) {
if (!btrfs_test_opt(fs_info, IGNOREBADROOTS))
/*
* Since we have rescue=ibadroots mount option,
* @ret is still 0.
*/
break;
if (!found || ret) {
/* @found is true, @ret is 0, error handling for csum
* tree is skipped.
*/
}
This means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if
the csum tree is corrupted, which results unexpected later csum lookup.
[FIX]
If read_tree_root_path() failed, always populate @ret to the error
number.
As at the end of the function, we need @ret to determine if we need to
do the extra error handling for csum tree.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: abed4aaae4f71a7bcdbe90a65319b6e772a2689d Version: abed4aaae4f71a7bcdbe90a65319b6e772a2689d Version: abed4aaae4f71a7bcdbe90a65319b6e772a2689d Version: abed4aaae4f71a7bcdbe90a65319b6e772a2689d Version: abed4aaae4f71a7bcdbe90a65319b6e772a2689d |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/disk-io.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f8ce11903211542a61f05c02caedd2edfb4256b8", "status": "affected", "version": "abed4aaae4f71a7bcdbe90a65319b6e772a2689d", "versionType": "git" }, { "lessThan": "fc97a116dc4929905538bc0bd3af7faa51192957", "status": "affected", "version": "abed4aaae4f71a7bcdbe90a65319b6e772a2689d", "versionType": "git" }, { "lessThan": "bbe9231fe611a54a447962494472f604419bad59", "status": "affected", "version": "abed4aaae4f71a7bcdbe90a65319b6e772a2689d", "versionType": "git" }, { "lessThan": "3f5c4a996f8f4fecd24a3eb344a307c50af895c2", "status": "affected", "version": "abed4aaae4f71a7bcdbe90a65319b6e772a2689d", "versionType": "git" }, { "lessThan": "547e836661554dcfa15c212a3821664e85b4191a", "status": "affected", "version": "abed4aaae4f71a7bcdbe90a65319b6e772a2689d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/disk-io.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.17" }, { "lessThan": "5.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.143", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.143", "versionStartIncluding": "5.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "5.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "5.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "5.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.17", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle csum tree error with rescue=ibadroots correctly\n\n[BUG]\nThere is syzbot based reproducer that can crash the kernel, with the\nfollowing call trace: (With some debug output added)\n\n DEBUG: rescue=ibadroots parsed\n BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)\n BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8\n BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm\n BTRFS info (device loop0): using free-space-tree\n BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0\n DEBUG: read tree root path failed for tree csum, ret=-5\n BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0\n BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0\n process \u0027repro\u0027 launched \u0027./file2\u0027 with NULL argv: empty string added\n DEBUG: no csum root, idatacsums=0 ibadroots=134217728\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]\n Call Trace:\n \u003cTASK\u003e\n btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]\n btrfs_submit_bbio+0x43e/0x1a80 [btrfs]\n submit_one_bio+0xde/0x160 [btrfs]\n btrfs_readahead+0x498/0x6a0 [btrfs]\n read_pages+0x1c3/0xb20\n page_cache_ra_order+0x4b5/0xc20\n filemap_get_pages+0x2d3/0x19e0\n filemap_read+0x314/0xde0\n __kernel_read+0x35b/0x900\n bprm_execve+0x62e/0x1140\n do_execveat_common.isra.0+0x3fc/0x520\n __x64_sys_execveat+0xdc/0x130\n do_syscall_64+0x54/0x1d0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nFirstly the fs has a corrupted csum tree root, thus to mount the fs we\nhave to go \"ro,rescue=ibadroots\" mount option.\n\nNormally with that mount option, a bad csum tree root should set\nBTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will\nignore csum search.\n\nBut in this particular case, we have the following call trace that\ncaused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:\n\nload_global_roots_objectid():\n\n\t\tret = btrfs_search_slot();\n\t\t/* Succeeded */\n\t\tbtrfs_item_key_to_cpu()\n\t\tfound = true;\n\t\t/* We found the root item for csum tree. */\n\t\troot = read_tree_root_path();\n\t\tif (IS_ERR(root)) {\n\t\t\tif (!btrfs_test_opt(fs_info, IGNOREBADROOTS))\n\t\t\t/*\n\t\t\t * Since we have rescue=ibadroots mount option,\n\t\t\t * @ret is still 0.\n\t\t\t */\n\t\t\tbreak;\n\tif (!found || ret) {\n\t\t/* @found is true, @ret is 0, error handling for csum\n\t\t * tree is skipped.\n\t\t */\n\t}\n\nThis means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if\nthe csum tree is corrupted, which results unexpected later csum lookup.\n\n[FIX]\nIf read_tree_root_path() failed, always populate @ret to the error\nnumber.\n\nAs at the end of the function, we need @ret to determine if we need to\ndo the extra error handling for csum tree." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:26.963Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f8ce11903211542a61f05c02caedd2edfb4256b8" }, { "url": "https://git.kernel.org/stable/c/fc97a116dc4929905538bc0bd3af7faa51192957" }, { "url": "https://git.kernel.org/stable/c/bbe9231fe611a54a447962494472f604419bad59" }, { "url": "https://git.kernel.org/stable/c/3f5c4a996f8f4fecd24a3eb344a307c50af895c2" }, { "url": "https://git.kernel.org/stable/c/547e836661554dcfa15c212a3821664e85b4191a" } ], "title": "btrfs: handle csum tree error with rescue=ibadroots correctly", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38260", "datePublished": "2025-07-09T10:42:36.204Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:26.963Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38251 (GCVE-0-2025-38251)
Vulnerability from cvelistv5
Published
2025-07-09 10:42
Modified
2025-07-28 04:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: clip: prevent NULL deref in clip_push()
Blamed commit missed that vcc_destroy_socket() calls
clip_push() with a NULL skb.
If clip_devs is NULL, clip_push() then crashes when reading
skb->truesize.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a Version: 93a2014afbace907178afc3c9c1e62c9a338595a |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/atm/clip.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "41f6420ee845006354c004839fed07da71e34aee", "status": "affected", "version": "93a2014afbace907178afc3c9c1e62c9a338595a", "versionType": "git" }, { "lessThan": "9199e8cb75f13a1650adcb3c6cad42789c43884e", "status": "affected", "version": "93a2014afbace907178afc3c9c1e62c9a338595a", "versionType": "git" }, { "lessThan": "88c88f91f4b3563956bb52e7a71a3640f7ece157", "status": "affected", "version": "93a2014afbace907178afc3c9c1e62c9a338595a", "versionType": "git" }, { "lessThan": "3c709dce16999bf6a1d2ce377deb5dd6fdd8cb08", "status": "affected", "version": "93a2014afbace907178afc3c9c1e62c9a338595a", "versionType": "git" }, { "lessThan": "a07005a77b18ae59b8471e7e4d991fa9f642b3c2", "status": "affected", "version": "93a2014afbace907178afc3c9c1e62c9a338595a", "versionType": "git" }, { "lessThan": "ede31ad949ae0d03cb4c5edd79991586ad7c8bb8", "status": "affected", "version": "93a2014afbace907178afc3c9c1e62c9a338595a", "versionType": "git" }, { "lessThan": "b993ea46b3b601915ceaaf3c802adf11e7d6bac6", "status": "affected", "version": "93a2014afbace907178afc3c9c1e62c9a338595a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/atm/clip.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.7" }, { "lessThan": "5.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.240", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.187", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.143", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.96", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.36", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.5", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.240", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.187", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.143", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.96", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.36", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.5", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.7", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: prevent NULL deref in clip_push()\n\nBlamed commit missed that vcc_destroy_socket() calls\nclip_push() with a NULL skb.\n\nIf clip_devs is NULL, clip_push() then crashes when reading\nskb-\u003etruesize." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:16:13.533Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/41f6420ee845006354c004839fed07da71e34aee" }, { "url": "https://git.kernel.org/stable/c/9199e8cb75f13a1650adcb3c6cad42789c43884e" }, { "url": "https://git.kernel.org/stable/c/88c88f91f4b3563956bb52e7a71a3640f7ece157" }, { "url": "https://git.kernel.org/stable/c/3c709dce16999bf6a1d2ce377deb5dd6fdd8cb08" }, { "url": "https://git.kernel.org/stable/c/a07005a77b18ae59b8471e7e4d991fa9f642b3c2" }, { "url": "https://git.kernel.org/stable/c/ede31ad949ae0d03cb4c5edd79991586ad7c8bb8" }, { "url": "https://git.kernel.org/stable/c/b993ea46b3b601915ceaaf3c802adf11e7d6bac6" } ], "title": "atm: clip: prevent NULL deref in clip_push()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38251", "datePublished": "2025-07-09T10:42:30.877Z", "dateReserved": "2025-04-16T04:51:23.997Z", "dateUpdated": "2025-07-28T04:16:13.533Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…