{"schema_version":"1.7.2","id":"OESA-2025-1569","modified":"2025-05-30T13:48:15Z","published":"2025-05-30T13:48:15Z","upstream":["CVE-2022-49769","CVE-2022-49788","CVE-2022-49874","CVE-2025-37752","CVE-2025-37928","CVE-2025-37980"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Check sb_bsize_shift after reading superblock\n\nFuzzers like to scribble over sb_bsize_shift but in reality it\u0026apos;s very\nunlikely that this field would be corrupted on its own. Nevertheless it\nshould be checked to avoid the possibility of messy mount errors due to\nbad calculations. It\u0026apos;s always a fixed value based on the block size so\nwe can just check that it\u0026apos;s the expected value.\n\nTested with:\n\n    mkfs.gfs2 -O -p lock_nolock /dev/vdb\n    for i in 0 -1 64 65 32 33; do\n        gfs2_edit -p sb field sb_bsize_shift $i /dev/vdb\n        mount /dev/vdb /mnt/test \u0026amp;\u0026amp; umount /mnt/test\n    done\n\nBefore this patch we get a withdraw after\n\n[   76.413681] gfs2: fsid=loop0.0: fatal: invalid metadata block\n[   76.413681]   bh = 19 (type: exp=5, found=4)\n[   76.413681]   function = gfs2_meta_buffer, file = fs/gfs2/meta_io.c, line = 492\n\nand with UBSAN configured we also get complaints like\n\n[   76.373395] UBSAN: shift-out-of-bounds in fs/gfs2/ops_fstype.c:295:19\n[   76.373815] shift exponent 4294967287 is too large for 64-bit type \u0026apos;long unsigned int\u0026apos;\n\nAfter the patch, these complaints don\u0026apos;t appear, mount fails immediately\nand we get an explanation in dmesg.(CVE-2022-49769)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmisc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()\n\n`struct vmci_event_qp` allocated by qp_notify_peer() contains padding,\nwhich may carry uninitialized data to the userspace, as observed by\nKMSAN:\n\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121\n   instrument_copy_to_user ./include/linux/instrumented.h:121\n   _copy_to_user+0x5f/0xb0 lib/usercopy.c:33\n   copy_to_user ./include/linux/uaccess.h:169\n   vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431\n   vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925\n   vfs_ioctl fs/ioctl.c:51\n  ...\n\n  Uninit was stored to memory at:\n   kmemdup+0x74/0xb0 mm/util.c:131\n   dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271\n   vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339\n   qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479\n   qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662\n   qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750\n   vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940\n   vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488\n   vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927\n  ...\n\n  Local variable ev created at:\n   qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456\n   qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662\n   qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750\n\n  Bytes 28-31 of 48 are uninitialized\n  Memory access of size 48 starts at ffff888035155e00\n  Data copied to user address 0000000020000100\n\nUse memset() to prevent the infoleaks.\n\nAlso speculatively fix qp_notify_peer_local(), which may suffer from the\nsame problem.(CVE-2022-49788)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nHID: hyperv: fix possible memory leak in mousevsc_probe()\n\nIf hid_add_device() returns error, it should call hid_destroy_device()\nto free hid_dev which is allocated in hid_allocate_device().(CVE-2022-49874)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: move the limit validation\n\nIt is not sufficient to directly validate the limit on the data that\nthe user passes as it can be updated based on how the other parameters\nare changed.\n\nMove the check at the end of the configuration update process to also\ncatch scenarios where the limit is indirectly updated, for example\nwith the following configurations:\n\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1\n\nThis fixes the following syzkaller reported crash:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6\nindex 65535 is out of range for type \u0026apos;struct sfq_head[128]\u0026apos;\nCPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\nCall Trace:\n \u0026lt;TASK\u0026gt;\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429\n sfq_link net/sched/sch_sfq.c:203 [inline]\n sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231\n sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493\n sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311\n netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]\n dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375(CVE-2025-37752)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndm-bufio: don\u0026apos;t schedule in atomic context\n\nA BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and\ntry_verify_in_tasklet are enabled.\n[  129.444685][  T934] BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2421\n[  129.444723][  T934] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 934, name: kworker/1:4\n[  129.444740][  T934] preempt_count: 201, expected: 0\n[  129.444756][  T934] RCU nest depth: 0, expected: 0\n[  129.444781][  T934] Preemption disabled at:\n[  129.444789][  T934] [\u0026lt;ffffffd816231900\u0026gt;] shrink_work+0x21c/0x248\n[  129.445167][  T934] kernel BUG at kernel/sched/walt/walt_debug.c:16!\n[  129.445183][  T934] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[  129.445204][  T934] Skip md ftrace buffer dump for: 0x1609e0\n[  129.447348][  T934] CPU: 1 PID: 934 Comm: kworker/1:4 Tainted: G        W  OE      6.6.56-android15-8-o-g6f82312b30b9-debug #1 1400000003000000474e5500b3187743670464e8\n[  129.447362][  T934] Hardware name: Qualcomm Technologies, Inc. Parrot QRD, Alpha-M (DT)\n[  129.447373][  T934] Workqueue: dm_bufio_cache shrink_work\n[  129.447394][  T934] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  129.447406][  T934] pc : android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug]\n[  129.447435][  T934] lr : __traceiter_android_rvh_schedule_bug+0x44/0x6c\n[  129.447451][  T934] sp : ffffffc0843dbc90\n[  129.447459][  T934] x29: ffffffc0843dbc90 x28: ffffffffffffffff x27: 0000000000000c8b\n[  129.447479][  T934] x26: 0000000000000040 x25: ffffff804b3d6260 x24: ffffffd816232b68\n[  129.447497][  T934] x23: ffffff805171c5b4 x22: 0000000000000000 x21: ffffffd816231900\n[  129.447517][  T934] x20: ffffff80306ba898 x19: 0000000000000000 x18: ffffffc084159030\n[  129.447535][  T934] x17: 00000000d2b5dd1f x16: 00000000d2b5dd1f x15: ffffffd816720358\n[  129.447554][  T934] x14: 0000000000000004 x13: ffffff89ef978000 x12: 0000000000000003\n[  129.447572][  T934] x11: ffffffd817a823c4 x10: 0000000000000202 x9 : 7e779c5735de9400\n[  129.447591][  T934] x8 : ffffffd81560d004 x7 : 205b5d3938373434 x6 : ffffffd8167397c8\n[  129.447610][  T934] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffffffc0843db9e0\n[  129.447629][  T934] x2 : 0000000000002f15 x1 : 0000000000000000 x0 : 0000000000000000\n[  129.447647][  T934] Call trace:\n[  129.447655][  T934]  android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug 1400000003000000474e550080cce8a8a78606b6]\n[  129.447681][  T934]  __might_resched+0x190/0x1a8\n[  129.447694][  T934]  shrink_work+0x180/0x248\n[  129.447706][  T934]  process_one_work+0x260/0x624\n[  129.447718][  T934]  worker_thread+0x28c/0x454\n[  129.447729][  T934]  kthread+0x118/0x158\n[  129.447742][  T934]  ret_from_fork+0x10/0x20\n[  129.447761][  T934] Code: ???????? ???????? ???????? d2b5dd1f (d4210000)\n[  129.447772][  T934] ---[ end trace 0000000000000000 ]---\n\ndm_bufio_lock will call spin_lock_bh when try_verify_in_tasklet\nis enabled, and __scan will be called in atomic context.(CVE-2025-37928)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix resource leak in blk_register_queue() error path\n\nWhen registering a queue fails after blk_mq_sysfs_register() is\nsuccessful but the function later encounters an error, we need\nto clean up the blk_mq_sysfs resources.\n\nAdd the missing blk_mq_sysfs_unregister() call in the error path\nto properly clean up these resources and prevent a memory leak.(CVE-2025-37980)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2505.5.0.0329.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","kernel-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","perf-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2505.5.0.0329.oe2003sp4.src.rpm"],"x86_64":["bpftool-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","kernel-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","perf-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2505.5.0.0329.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1569"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49769"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49788"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49874"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37752"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37928"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37980"}],"database_specific":{"severity":"Medium"}}