{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.8.0-84-generic", "linux-modules-6.8.0-84-generic" ], "removed": [ "libtirpc-common", "libtirpc3t64", "linux-image-6.8.0-71-generic", "linux-modules-6.8.0-71-generic" ], "diff": [ "base-files", "cloud-init", "coreutils", "dpkg", "iproute2", "libc-bin", "libc6", "libpam-modules", "libpam-modules-bin", "libpam-runtime", "libpam0g", "libpython3.12-minimal", "libpython3.12-stdlib", "libsqlite3-0", "linux-image-virtual", "openssh-client", "openssh-server", "openssh-sftp-server", "perl-base", "python-apt-common", "python3-apt", "python3-distupgrade", "python3.12", "python3.12-minimal", "snapd", "ubuntu-release-upgrader-core", "xxd" ] } }, "diff": { "deb": [ { "name": "base-files", "from_version": { "source_package_name": "base-files", "source_package_version": "13ubuntu10.2", "version": "13ubuntu10.2" }, "to_version": { "source_package_name": "base-files", "source_package_version": "13ubuntu10.3", "version": "13ubuntu10.3" }, "cves": [], "launchpad_bugs_fixed": [ 2119314 ], "changes": [ { "cves": [], "log": [ "", " * /etc/issue{,.net}, /etc/{lsb,os}-release: bump version to 24.04.3", " (LP: #2119314)", "" ], "package": "base-files", "version": "13ubuntu10.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2119314 ], "author": "Ural Tunaboyu ", "date": "Fri, 01 Aug 2025 07:21:11 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.2-0ubuntu0~24.04.1", "version": "25.1.2-0ubuntu0~24.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.4-0ubuntu0~24.04.1", "version": "25.1.4-0ubuntu0~24.04.1" }, "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2069607, 2114229, 2069607 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * Upstream snapshot based on 25.1.4.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog", " - Bugs fixed in this snapshot:", " + fix: disable cloud-init when non-x86 environments have no DMI-data", " and no strict datasources detected (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.4-0ubuntu0~24.04.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2069607 ], "author": "Chad Smith ", "date": "Tue, 24 Jun 2025 15:14:03 -0600" }, { "cves": [ { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only", " share dir (CVE-2024-11584)", " * Upstream security bugfix release based on 25.1.3.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog", " - Bugs fixed in this snapshot:", " - security: make hotplug socket only writable by root (LP: #2114229)", " (CVE-2024-11584)", " - security: make ds-identify behavior strict datasource discovery on", " non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.3-0ubuntu0~24.04.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2114229, 2069607 ], "author": "Chad Smith ", "date": "Thu, 12 Jun 2025 20:24:45 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "coreutils", "from_version": { "source_package_name": "coreutils", "source_package_version": "9.4-3ubuntu6", "version": "9.4-3ubuntu6" }, "to_version": { "source_package_name": "coreutils", "source_package_version": "9.4-3ubuntu6.1", "version": "9.4-3ubuntu6.1" }, "cves": [], "launchpad_bugs_fixed": [ 2115274 ], "changes": [ { "cves": [], "log": [ "", " * d/p/suppress-permission-denied-errors-on-nfs.patch:", " - Avoid returning permission denied errors when running ls -l when reading", " file attributes. (LP: #2115274)", "" ], "package": "coreutils", "version": "9.4-3ubuntu6.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2115274 ], "author": "Ghadi Elie Rahme ", "date": "Sun, 22 Jun 2025 16:21:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "dpkg", "from_version": { "source_package_name": "dpkg", "source_package_version": "1.22.6ubuntu6.1", "version": "1.22.6ubuntu6.1" }, "to_version": { "source_package_name": "dpkg", "source_package_version": "1.22.6ubuntu6.2", "version": "1.22.6ubuntu6.2" }, "cves": [], "launchpad_bugs_fixed": [ 2082636 ], "changes": [ { "cves": [], "log": [ "", " [ Zixing Liu ]", " * Add RUSTFLAGS to define frame pointers for Rust toolchain (LP: #2082636).", " * Replaces mainline version number 1.22.6ubuntu12 with 1.22.6ubuntu6.2 in", " the documentation to avoid confusion with backported version.", "", " [ Benjamin Drung ]", " * buildflags: document RUSTFLAGS", " * buildflags: Always set RUSTFLAGS", "" ], "package": "dpkg", "version": "1.22.6ubuntu6.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2082636 ], "author": "Zixing Liu ", "date": "Thu, 26 Sep 2024 13:14:01 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "iproute2", "from_version": { "source_package_name": "iproute2", "source_package_version": "6.1.0-1ubuntu6", "version": "6.1.0-1ubuntu6" }, "to_version": { "source_package_name": "iproute2", "source_package_version": "6.1.0-1ubuntu6.2", "version": "6.1.0-1ubuntu6.2" }, "cves": [], "launchpad_bugs_fixed": [ 2115790, 2106115 ], "changes": [ { "cves": [], "log": [ "", " * Do not use stdout to print info about default fan map usage (LP: #2115790)", " - d/p/1003-ubuntu-poc-fan-dynamic-map.patch", "" ], "package": "iproute2", "version": "6.1.0-1ubuntu6.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2115790 ], "author": "Stefan Bader ", "date": "Thu, 10 Jul 2025 16:46:54 +0200" }, { "cves": [], "log": [ "", " * Expose IFLA_VXLAN_FAN_MAP version via sysctl/proc (LP: #2106115)", " - d/p/1003-ubuntu-poc-fan-dynamic-map.patch", "" ], "package": "iproute2", "version": "6.1.0-1ubuntu6.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2106115 ], "author": "Stefan Bader ", "date": "Thu, 26 Jun 2025 16:35:31 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.39-0ubuntu8.5", "version": "2.39-0ubuntu8.5" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.39-0ubuntu8.6", "version": "2.39-0ubuntu8.6" }, "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: double-free in regcomp function", " - debian/patches/any/CVE-2025-8058.patch: fix double-free after", " allocation failure in regcomp in posix/Makefile, posix/regcomp.c,", " posix/tst-regcomp-bracket-free.c.", " - CVE-2025-8058", "" ], "package": "glibc", "version": "2.39-0ubuntu8.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 17 Sep 2025 10:55:42 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6", "from_version": { "source_package_name": "glibc", "source_package_version": "2.39-0ubuntu8.5", "version": "2.39-0ubuntu8.5" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.39-0ubuntu8.6", "version": "2.39-0ubuntu8.6" }, "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: double-free in regcomp function", " - debian/patches/any/CVE-2025-8058.patch: fix double-free after", " allocation failure in regcomp in posix/Makefile, posix/regcomp.c,", " posix/tst-regcomp-bracket-free.c.", " - CVE-2025-8058", "" ], "package": "glibc", "version": "2.39-0ubuntu8.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 17 Sep 2025 10:55:42 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-modules", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-5ubuntu5.4", "version": "1.5.3-5ubuntu5.4" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-5ubuntu5.5", "version": "1.5.3-5ubuntu5.5" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-5ubuntu5.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:37:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-modules-bin", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-5ubuntu5.4", "version": "1.5.3-5ubuntu5.4" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-5ubuntu5.5", "version": "1.5.3-5ubuntu5.5" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-5ubuntu5.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:37:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-runtime", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-5ubuntu5.4", "version": "1.5.3-5ubuntu5.4" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-5ubuntu5.5", "version": "1.5.3-5ubuntu5.5" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-5ubuntu5.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:37:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam0g", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-5ubuntu5.4", "version": "1.5.3-5ubuntu5.4" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-5ubuntu5.5", "version": "1.5.3-5ubuntu5.5" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-5ubuntu5.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:37:15 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.7", "version": "3.12.3-1ubuntu0.7" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.8", "version": "3.12.3-1ubuntu0.8" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 15:17:21 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-stdlib", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.7", "version": "3.12.3-1ubuntu0.7" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.8", "version": "3.12.3-1ubuntu0.8" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 15:17:21 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsqlite3-0", "from_version": { "source_package_name": "sqlite3", "source_package_version": "3.45.1-1ubuntu2.4", "version": "3.45.1-1ubuntu2.4" }, "to_version": { "source_package_name": "sqlite3", "source_package_version": "3.45.1-1ubuntu2.5", "version": "3.45.1-1ubuntu2.5" }, "cves": [ { "cve": "CVE-2025-7709", "url": "https://ubuntu.com/security/CVE-2025-7709", "cve_description": "An integer overflow exists in the FTS5 https://sqlite.org/fts5.html  extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-09-08 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-7709", "url": "https://ubuntu.com/security/CVE-2025-7709", "cve_description": "An integer overflow exists in the FTS5 https://sqlite.org/fts5.html  extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-09-08 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in FTS5 extension", " - debian/patches/CVE-2025-7709.patch: optimize allocation of large", " tombstone arrays in fts5 in ext/fts5/fts5_index.c.", " - CVE-2025-7709", "" ], "package": "sqlite3", "version": "3.45.1-1ubuntu2.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 11 Sep 2025 14:06:42 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-71.71", "version": "6.8.0-71.71" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-84.84", "version": "6.8.0-84.84" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-84.84", "" ], "package": "linux-meta", "version": "6.8.0-84.84", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Sep 2025 13:39:46 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-81.81", "" ], "package": "linux-meta", "version": "6.8.0-81.81", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Fri, 29 Aug 2025 14:37:49 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-80.80", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.8.0-80.80", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Fri, 15 Aug 2025 15:18:37 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-79.79", "" ], "package": "linux-meta", "version": "6.8.0-79.79", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Tue, 12 Aug 2025 12:35:32 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-78.78", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.8.0-78.78", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Tue, 12 Aug 2025 11:54:26 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-76.76", "" ], "package": "linux-meta", "version": "6.8.0-76.76", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Sat, 09 Aug 2025 03:05:14 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-74.74", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.8.0-74.74", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Fri, 08 Aug 2025 14:22:35 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-72.72", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.8.0-72.72", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:37:18 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.13", "version": "1:9.6p1-3ubuntu13.13" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.14", "version": "1:9.6p1-3ubuntu13.14" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.6p1-3ubuntu13.14", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 09:49:17 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.13", "version": "1:9.6p1-3ubuntu13.13" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.14", "version": "1:9.6p1-3ubuntu13.14" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.6p1-3ubuntu13.14", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 09:49:17 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.13", "version": "1:9.6p1-3ubuntu13.13" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.14", "version": "1:9.6p1-3ubuntu13.14" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.6p1-3ubuntu13.14", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 09:49:17 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.38.2-3.2ubuntu0.1", "version": "5.38.2-3.2ubuntu0.1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.38.2-3.2ubuntu0.2", "version": "5.38.2-3.2ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: threads race condition in file operations", " - debian/patches/fixes/CVE-2025-40909-metaconfig.diff: check for", " fdopendir in regen-configure/U/perl/d_fdopendir.U.", " - debian/patches/fixes/CVE-2025-40909-1.diff: clone dirhandles without", " fchdir in Configure, Cross/config.sh-arm-linux,", " Cross/config.sh-arm-linux-n770, Porting/Glossary, Porting/config.sh,", " config_h.SH, configure.com, plan9/config_sh.sample, sv.c,", " t/op/threads-dirh.t, win32/config.gc, win32/config.vc.", " - debian/patches/fixes/CVE-2025-40909-2.diff: minor corrections in", " Cross/config.sh-arm-linux, Cross/config.sh-arm-linux-n770,", " config_h.SH,plan9/config_sh.sample.", " - debian/patches/fixes/CVE-2025-40909-3.diff: use PerlLIO_dup_cloexec", " in Perl_dirp_dup to set O_CLOEXEC in sv.c.", " - debian/patches/fixes/CVE-2025-40909-metaconfig-reorder.diff: slightly", " reorder Configure and config_h.SH to match metaconfig output in", " Configure, config_h.SH.", " - debian/patches/fixes/CVE-2025-40909-generated.diff: update generated", " files and checksums in uconfig.sh, uconfig64.sh, uconfig.h.", " - CVE-2025-40909", "" ], "package": "perl", "version": "5.38.2-3.2ubuntu0.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 25 Jul 2025 13:26:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python-apt-common", "from_version": { "source_package_name": "python-apt", "source_package_version": "2.7.7ubuntu4", "version": "2.7.7ubuntu4" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "2.7.7ubuntu5", "version": "2.7.7ubuntu5" }, "cves": [], "launchpad_bugs_fixed": [ 2118784 ], "changes": [ { "cves": [], "log": [ "", " * Mirror list update for 24.04.3 (LP: #2118784)", "" ], "package": "python-apt", "version": "2.7.7ubuntu5", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2118784 ], "author": "Paride Legovini ", "date": "Fri, 25 Jul 2025 17:23:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apt", "from_version": { "source_package_name": "python-apt", "source_package_version": "2.7.7ubuntu4", "version": "2.7.7ubuntu4" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "2.7.7ubuntu5", "version": "2.7.7ubuntu5" }, "cves": [], "launchpad_bugs_fixed": [ 2118784 ], "changes": [ { "cves": [], "log": [ "", " * Mirror list update for 24.04.3 (LP: #2118784)", "" ], "package": "python-apt", "version": "2.7.7ubuntu5", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2118784 ], "author": "Paride Legovini ", "date": "Fri, 25 Jul 2025 17:23:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:24.04.26", "version": "1:24.04.26" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:24.04.27", "version": "1:24.04.27" }, "cves": [], "launchpad_bugs_fixed": [ 2118789 ], "changes": [ { "cves": [], "log": [ "", " * Run pre-build.sh: updating mirrors for point release (LP: #2118789)", "" ], "package": "ubuntu-release-upgrader", "version": "1:24.04.27", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2118789 ], "author": "Nick Rosbrook ", "date": "Fri, 25 Jul 2025 12:08:16 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.7", "version": "3.12.3-1ubuntu0.7" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.8", "version": "3.12.3-1ubuntu0.8" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 15:17:21 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.7", "version": "3.12.3-1ubuntu0.7" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.8", "version": "3.12.3-1ubuntu0.8" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 15:17:21 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.67.1+24.04", "version": "2.67.1+24.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.68.5+ubuntu24.04.1", "version": "2.68.5+ubuntu24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2098137, 2109843, 2104933, 2099709, 2101834, 2089195, 2072987, 1712808, 1966203, 1886414, 2089691 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " -LP: #2109843 fix missing preseed files when running in a container", "" ], "package": "snapd", "version": "2.68.5+ubuntu24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098137, 2109843 ], "author": "Ernest Lotter ", "date": "Wed, 21 May 2025 17:46:09 +0200" }, { "cves": [], "log": [ "", " - Snap components: LP: #2104933 workaround for classic 24.04/24.10", " models that incorrectly specify core22 instead of core24", " - Update build dependencies", "" ], "package": "snapd", "version": "2.68.4+ubuntu24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2104933 ], "author": "Ernest Lotter ", "date": "Wed, 02 Apr 2025 19:48:25 +0200" }, { "cves": [], "log": [ "", " - FDE: use boot mode for FDE hooks", " - FDE: add snap-bootstrap compatibility check to prevent image", " creation with incompatible snapd and kernel snap", " - FDE: add argon2 out-of-process KDF support", " - FDE: have separate mutex for the sections writing a fresh modeenv", " - FDE: LP: #2099709 update secboot to e07f4ae48e98", " - FDE: LP: #2101834 snapd 2.68+ and snap-bootstrap <2.68 fallback to", " old keyring path", " - Confdb: support pruning ephemeral data and process alternative", " types in order", " - core-initrd: look at env to mount directly to /sysroot", " - core-initrd: prepare for Plucky build and split out 24.10", " (Oracular)", " - Fix Plucky snapd deb build issue related to /var/lib/snapd/void", " permissions", " - Fix snapd deb build complaint about ifneq with extra bracket", " - Fix missing primed packages in snapd snap manifest", " - Interfaces: posix-mq | fix incorrect clobbering of global variable", " and make interface more precise", " - Interfaces: opengl | add more kernel fusion driver files", " - Fix snap-confine type specifier type mismatch on armhf", " - FDE: add support for new and more extensible key format that is", " unified between TPM and FDE hook", " - FDE: add support for adding passphrases during installation", " - FDE: update secboot to 30317622bbbc", " - Snap components: make kernel components available on firstboot", " after either initramfs or ephemeral rootfs style install", " - Snap components: mount drivers tree from initramfs so kernel", " modules are available in early boot stages", " - Snap components: support remodeling to models that contain", " components", " - Snap components: support offline remodeling to models that contain", " components", " - Snap components: support creating new recovery systems with", " components", " - Snap components: support downloading components with 'snap", " download' command", " - Snap components: support sideloading asserted components", " - AppArmor Prompting(experimental): improve version checks and", " handling of listener notification protocol for communication with", " kernel AppArmor", " - AppArmor Prompting(experimental): make prompt replies idempotent,", " and have at most one rule for any given path pattern, with", " potentially mixed outcomes and lifespans", " - AppArmor Prompting(experimental): timeout unresolved prompts after", " a period of client inactivity", " - AppArmor Prompting(experimental): return an error if a patch", " request to the API would result in a rule without any permissions", " - AppArmor Prompting(experimental): warn if there is no prompting", " client present but prompting is enabled, or if a prompting-related", " error occurs during snapd startup", " - AppArmor Prompting(experimental): do not log error when converting", " empty permissions to AppArmor permissions", " - Confdb(experimental): rename registries to confdbs (including API", " /v2/registries => /v2/confdb)", " - Confdb(experimental): support marking confdb schemas as ephemeral", " - Confdb(experimental): add confdb-control assertion and feature", " flag", " - Refresh App Awareness(experimental): LP: #2089195 prevent", " possibility of incorrect notification that snap will quit and", " update", " - Confidential VMs: snap-bootstrap support for loading partition", " information from a manifest file for cloudimg-rootfs mode", " - Confidential VMs: snap-bootstrap support for setting up cloudimg-", " rootfs as an overlayfs with integrity protection", " - dm-verity for essential snaps: add support for snap-integrity", " assertion", " - Interfaces: modify AppArmor template to allow owner read on", " @{PROC}/@{pid}/fdinfo/*", " - Interfaces: LP: #2072987 modify AppArmor template to allow using", " setpriv to run daemon as non-root user", " - Interfaces: add configfiles backend that ensures the state of", " configuration files in the filesystem", " - Interfaces: add ldconfig backend that exposes libraries coming", " from snaps to either the rootfs or to other snaps", " - Interfaces: LP: #1712808 disable udev backend when", " inside a container", " - Interfaces: add auditd-support interface that grants audit_control", " capability and required paths for auditd to function", " - Interfaces: add checkbox-support interface that allows", " unrestricted access to all devices", " - Interfaces: fwupd | allow access to dell bios recovery", " - Interfaces: fwupd | allow access to shim and fallback shim", " - Interfaces: mount-control | add mount option validator to detect", " mount option conflicts early", " - Interfaces: cpu-control | add read access to /sys/kernel/irq/", " - Interfaces: locale-control | changed to be implicit on Ubuntu Core", " Desktop", " - Interfaces: microstack-support | support for utilizing of AMD SEV", " capabilities", " - Interfaces: u2f | added missing OneSpan device product IDs", " - Interfaces: auditd-support | grant seccomp setpriority", " - Interfaces: opengl interface | enable parsing of nvidia driver", " information files", " - Interfaces: mount-control interface | add CIFS support", " - Allow mksquashfs 'xattrs' when packing snap types os, core, base", " and snapd as part of work to support non-root snap-confine", " - Upstream/downstream packaging changes and build updates", " - Improve error logs for malformed desktop files to also show which", " desktop file is at fault", " - Provide more precise error message when overriding channels with", " grade during seed creation", " - Expose 'snap prepare-image' validation parameter", " - Add snap-seccomp 'dump' command that dumps the filter rules from a", " compiled profile", " - Add fallback release info location /etc/initrd-release", " - Added core-initrd to snapd repo and fixed issues with ubuntu-core-", " initramfs deb builds", " - Remove stale robust-mount-namespace-updates experimental feature", " flag", " - Remove snapd-snap experimental feature (rejected) and it's feature", " flag", " - Changed snap-bootstrap to mount base directly on /sysroot", " - Mount ubuntu-seed mounted as no-{suid,exec,dev}", " - Mapping volumes to disks: add support for volume-assignments in", " gadget", " - Fix silently broken binaries produced by distro patchelf 0.14.3 by", " using locally build patchelf 0.18", " - Fix mismatch between listed refresh candidates and actual refresh", " due to outdated validation sets", " - Fix 'snap get' to produce compact listing for tty", " - Fix missing store-url by keeping it as part of auxiliary store", " info", " - Fix snap-confine attempting to retrieve device cgroup setup inside", " container where it is not available", " - Fix 'snap set' and 'snap get' panic on empty strings with early", " error checking", " - Fix logger debug entries to show correct caller and file", " information", " - Fix issue preventing hybrid systems from being seeded on first", " boot", " - LP: #1966203 remove auto-import udev rules not required by deb", " package to avoid unwanted syslog errors", " - LP: #1886414 fix progress reporting when stdout is on a tty, but", " stdin is not", "" ], "package": "snapd", "version": "2.68.3+ubuntu24.04.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2099709, 2101834, 2089195, 2072987, 1712808, 1966203, 1886414 ], "author": "Ernest Lotter ", "date": "Mon, 10 Mar 2025 20:13:38 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2089691", " - AppArmor prompting (experimental): allow overlapping rules", " - Registry view (experimental): Changes to registry data (from both", " users and snaps) can be validated and saved by custodian snaps", " - Registry view (experimental): Support 'snapctl get --pristine' to", " read the registry data excluding staged transaction changes", " - Registry view (experimental): Put registry commands behind", " experimental feature flag", " - Components: Make modules shipped/created by kernel-modules", " components available right after reboot", " - Components: Add tab completion for local component files", " - Components: Allow installing snaps and components from local files", " jointly on the CLI", " - Components: Allow 'snapctl model' command for gadget and kernel", " snaps", " - Components: Add 'snap components' command", " - Components: Bug fixes", " - eMMC gadget updates (WIP): add syntax support in gadget.yaml for", " eMMC schema", " - Support for ephemeral recovery mode on hybrid systems", " - Support for dm-verity options in snap-bootstrap", " - Support for overlayfs options and allow empty what argument for", " tmpfs", " - Enable ubuntu-image to determine the size of the disk image to", " create", " - Expose 'snap debug' commands 'validate-seed' and 'seeding'", " - Add debug API option to use dedicated snap socket /run/snapd-", " snap.socket", " - Hide experimental features that are no longer required", " (accepted/rejected)", " - Mount ubuntu-save partition with no{exec,dev,suid} at install, run", " and factory-reset", " - Improve memory controller support with cgroup v2", " - Support ssh socket activation configurations (used by ubuntu", " 22.10+)", " - Fix generation of AppArmor profile with incorrect revision during", " multi snap refresh", " - Fix refresh app awareness related deadlock edge case", " - Fix not caching delta updated snap download", " - Fix passing non root uid, guid to initial tmpfs mount", " - Fix ignoring snaps in try mode when amending", " - Fix reloading of service activation units to avoid systemd errors", " - Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS", " updates PPA", " - Make killing of snap apps best effort to avoid possibility of", " malicious failure loop", " - Alleviate impact of auto-refresh failure loop with progressive", " delay", " - Dropped timedatex in selinux-policy to avoid runtime issue", " - Fix missing syscalls in seccomp profile", " - Modify AppArmor template to allow using SNAP_REEXEC on arch", " systems", " - Modify AppArmor template to allow using vim.tiny (available in", " base snaps)", " - Modify AppArmor template to add read-access to debian_version", " - Modify AppArmor template to allow owner to read", " @{PROC}/@{pid}/sessionid", " - {common,personal,system}-files interface: prohibit trailing @ in", " filepaths", " - {desktop,shutdown,system-observe,upower-observe} interface:", " improve for Ubuntu Core Desktop", " - custom-device interface: allow @ in custom-device filepaths", " - desktop interface: improve launch entry and systray integration", " with session", " - desktop-legacy interface: allow DBus access to", " com.canonical.dbusmenu", " - fwupd interface: allow access to nvmem for thunderbolt plugin", " - mpris interface: add plasmashell as label", " - mount-control interface: add support for nfs mounts", " - network-{control,manager} interface: add missing dbus link rules", " - network-manager-observe interface: add getDevices methods", " - opengl interface: add Kernel Fusion Driver access to opengl", " - screen-inhibit-control interface: improve screen inhibit control", " for use on core", " - udisks2 interface: allow ping of the UDisks2 service", " - u2f-devices interface: add Nitrokey Passkey", "" ], "package": "snapd", "version": "2.67", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2089691 ], "author": "Ernest Lotter ", "date": "Mon, 02 Dec 2024 23:14:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:24.04.26", "version": "1:24.04.26" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:24.04.27", "version": "1:24.04.27" }, "cves": [], "launchpad_bugs_fixed": [ 2118789 ], "changes": [ { "cves": [], "log": [ "", " * Run pre-build.sh: updating mirrors for point release (LP: #2118789)", "" ], "package": "ubuntu-release-upgrader", "version": "1:24.04.27", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2118789 ], "author": "Nick Rosbrook ", "date": "Fri, 25 Jul 2025 12:08:16 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.8", "version": "2:9.1.0016-1ubuntu7.8" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.9", "version": "2:9.1.0016-1ubuntu7.9" }, "cves": [ { "cve": "CVE-2025-53905", "url": "https://ubuntu.com/security/CVE-2025-53905", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" }, { "cve": "CVE-2025-53906", "url": "https://ubuntu.com/security/CVE-2025-53906", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-53905", "url": "https://ubuntu.com/security/CVE-2025-53905", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" }, { "cve": "CVE-2025-53906", "url": "https://ubuntu.com/security/CVE-2025-53906", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path traversal when opening specially crafted tar/zip", " archives.", " - debian/patches/CVE-2025-53905.patch: remove leading slashes from name,", " replace tar_secure with g:tar_secure in runtime/autoload/tar.vim.", " - debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w,", " call warning for path traversal attack, and escape leading \"../\" in", " runtime/autoload/zip.vim.", " - CVE-2025-53905", " - CVE-2025-53906", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.9", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Fri, 05 Sep 2025 17:14:46 -0230" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.8.0-84-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-71.71", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-84.84", "version": "6.8.0-84.84" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013, 1786013, 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-84.84", "" ], "package": "linux-signed", "version": "6.8.0-84.84", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 05 Sep 2025 13:38:09 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-81.81", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-81.81", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Fri, 29 Aug 2025 14:37:19 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-80.80", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-80.80", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Fri, 15 Aug 2025 15:19:22 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-79.79", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-79.79", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Tue, 12 Aug 2025 12:35:00 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-78.78", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-78.78", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Tue, 12 Aug 2025 11:46:57 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-76.76", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-76.76", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Sat, 09 Aug 2025 03:05:57 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-74.74", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-74.74", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Fri, 08 Aug 2025 14:22:56 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-72.72", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-72.72", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:36:36 +0200" } ], "notes": "linux-image-6.8.0-84-generic version '6.8.0-84.84' (source package linux-signed version '6.8.0-84.84') was added. linux-image-6.8.0-84-generic version '6.8.0-84.84' has the same source package name, linux-signed, as removed package linux-image-6.8.0-71-generic. As such we can use the source package version of the removed package, '6.8.0-71.71', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-84-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-71.71", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-84.84", "version": "6.8.0-84.84" }, "cves": [ { "cve": "CVE-2025-21872", "url": "https://ubuntu.com/security/CVE-2025-21872", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: efi: Don't map the entire mokvar table to determine its size Currently, when validating the mokvar table, we (re)map the entire table on each iteration of the loop, adding space as we discover new entries. If the table grows over a certain size, this fails due to limitations of early_memmap(), and we get a failure and traceback: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220 ... Call Trace: ? __early_ioremap+0xef/0x220 ? __warn.cold+0x93/0xfa ? __early_ioremap+0xef/0x220 ? report_bug+0xff/0x140 ? early_fixup_exception+0x5d/0xb0 ? early_idt_handler_common+0x2f/0x3a ? __early_ioremap+0xef/0x220 ? efi_mokvar_table_init+0xce/0x1d0 ? setup_arch+0x864/0xc10 ? start_kernel+0x6b/0xa10 ? x86_64_start_reservations+0x24/0x30 ? x86_64_start_kernel+0xed/0xf0 ? common_startup_64+0x13e/0x141 ---[ end trace 0000000000000000 ]--- mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187. Mapping the entire structure isn't actually necessary, as we don't ever need more than one entry header mapped at once. Changes efi_mokvar_table_init() to only map each entry header, not the entire table, when determining the table size. Since we're not mapping any data past the variable name, it also changes the code to enforce that each variable name is NUL terminated, rather than attempting to verify it in place.", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21880", "url": "https://ubuntu.com/security/CVE-2025-21880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/userptr: fix EFAULT handling Currently we treat EFAULT from hmm_range_fault() as a non-fatal error when called from xe_vm_userptr_pin() with the idea that we want to avoid killing the entire vm and chucking an error, under the assumption that the user just did an unmap or something, and has no intention of actually touching that memory from the GPU. At this point we have already zapped the PTEs so any access should generate a page fault, and if the pin fails there also it will then become fatal. However it looks like it's possible for the userptr vma to still be on the rebind list in preempt_rebind_work_func(), if we had to retry the pin again due to something happening in the caller before we did the rebind step, but in the meantime needing to re-validate the userptr and this time hitting the EFAULT. This explains an internal user report of hitting: [ 191.738349] WARNING: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xe_res_cursor.h:158 xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738551] Workqueue: xe-ordered-wq preempt_rebind_work_func [xe] [ 191.738616] RIP: 0010:xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738690] Call Trace: [ 191.738692] [ 191.738694] ? show_regs+0x69/0x80 [ 191.738698] ? __warn+0x93/0x1a0 [ 191.738703] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738759] ? report_bug+0x18f/0x1a0 [ 191.738764] ? handle_bug+0x63/0xa0 [ 191.738767] ? exc_invalid_op+0x19/0x70 [ 191.738770] ? asm_exc_invalid_op+0x1b/0x20 [ 191.738777] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738834] ? ret_from_fork_asm+0x1a/0x30 [ 191.738849] bind_op_prepare+0x105/0x7b0 [xe] [ 191.738906] ? dma_resv_reserve_fences+0x301/0x380 [ 191.738912] xe_pt_update_ops_prepare+0x28c/0x4b0 [xe] [ 191.738966] ? kmemleak_alloc+0x4b/0x80 [ 191.738973] ops_execute+0x188/0x9d0 [xe] [ 191.739036] xe_vm_rebind+0x4ce/0x5a0 [xe] [ 191.739098] ? trace_hardirqs_on+0x4d/0x60 [ 191.739112] preempt_rebind_work_func+0x76f/0xd00 [xe] Followed by NPD, when running some workload, since the sg was never actually populated but the vma is still marked for rebind when it should be skipped for this special EFAULT case. This is confirmed to fix the user report. v2 (MattB): - Move earlier. v3 (MattB): - Update the commit message to make it clear that this indeed fixes the issue. (cherry picked from commit 6b93cb98910c826c2e2004942f8b060311e43618)", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21890", "url": "https://ubuntu.com/security/CVE-2025-21890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: fix checksums set in idpf_rx_rsc() idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header is not set yet. This triggers the following warning for CONFIG_DEBUG_NET=y builds. DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb)) [ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth [ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697 [ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN [ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748) [ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261687] ? report_bug (lib/bug.c:?) [ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285) [ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309) [ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf [ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf [ 69.261712] __napi_poll (net/core/dev.c:7194) [ 69.261716] net_rx_action (net/core/dev.c:7265) [ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293) [ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288) [ 69.261726] handle_softirqs (kernel/softirq.c:561)", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21885", "url": "https://ubuntu.com/security/CVE-2025-21885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers While using nvme target with use_srq on, below kernel panic is noticed. [ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514) [ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI .. [ 566.393799] [ 566.393807] ? __die_body+0x1a/0x60 [ 566.393823] ? die+0x38/0x60 [ 566.393835] ? do_trap+0xe4/0x110 [ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393881] ? do_error_trap+0x7c/0x120 [ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393911] ? exc_divide_error+0x34/0x50 [ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393939] ? asm_exc_divide_error+0x16/0x20 [ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re] [ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re] [ 566.394057] ? srso_return_thunk+0x5/0x5f [ 566.394068] ? __init_swait_queue_head+0x4a/0x60 [ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core] [ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma] [ 566.394174] ? lock_release+0x22c/0x3f0 [ 566.394187] ? srso_return_thunk+0x5/0x5f Page size and shift info is set only for the user space SRQs. Set page size and page shift for kernel space SRQs also.", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21888", "url": "https://ubuntu.com/security/CVE-2025-21888", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a WARN during dereg_mr for DM type Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not mapped. This results in a WARN [1], as shown below. The issue is resolved by properly accounting for the DM type and ensuring the correct branch is selected in mlx5_free_priv_descs(). [1] WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90 Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00 RSP: 0018:ffffc90001913a10 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __warn+0x84/0x190 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0xf8/0x1c0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 dma_unmap_page_attrs+0xe6/0x290 mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib] __mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f537adaf17b Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270 R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190 R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450 ", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21892", "url": "https://ubuntu.com/security/CVE-2025-21892", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix the recovery flow of the UMR QP This patch addresses an issue in the recovery flow of the UMR QP, ensuring tasks do not get stuck, as highlighted by the call trace [1]. During recovery, before transitioning the QP to the RESET state, the software must wait for all outstanding WRs to complete. Failing to do so can cause the firmware to skip sending some flushed CQEs with errors and simply discard them upon the RESET, as per the IB specification. This race condition can result in lost CQEs and tasks becoming stuck. To resolve this, the patch sends a final WR which serves only as a barrier before moving the QP state to RESET. Once a CQE is received for that final WR, it guarantees that no outstanding WRs remain, making it safe to transition the QP to RESET and subsequently back to RTS, restoring proper functionality. Note: For the barrier WR, we simply reuse the failed and ready WR. Since the QP is in an error state, it will only receive IB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don't care about its status. [1] INFO: task rdma_resource_l:1922 blocked for more than 120 seconds. Tainted: G W 6.12.0-rc7+ #1626 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369 flags:0x00004004 Call Trace: __schedule+0x420/0xd30 schedule+0x47/0x130 schedule_timeout+0x280/0x300 ? mark_held_locks+0x48/0x80 ? lockdep_hardirqs_on_prepare+0xe5/0x1a0 wait_for_completion+0x75/0x130 mlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib] ? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib] mlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib] __mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? __lock_acquire+0x64e/0x2080 ? mark_held_locks+0x48/0x80 ? find_held_lock+0x2d/0xa0 ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? __fget_files+0xc3/0x1b0 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f99c918b17b RSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX: 00007f99c918b17b RDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09: 000000000000bd7e R10: 00007f99c94c1c70 R11: 0000000000000246 R12: 00007ffc766d0530 R13: 000000000000001c R14: 0000000040246a80 R15: 0000000000000000 ", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21873", "url": "https://ubuntu.com/security/CVE-2025-21873", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: bsg: Fix crash when arpmb command fails If the device doesn't support arpmb we'll crash due to copying user data in bsg_transport_sg_io_fn(). In the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not set the job's reply_len. Memory crash backtrace: 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22 4,1308,531166555,-;Call Trace: 4,1309,531166559,-; 4,1310,531166565,-; ? show_regs+0x6d/0x80 4,1311,531166575,-; ? die+0x37/0xa0 4,1312,531166583,-; ? do_trap+0xd4/0xf0 4,1313,531166593,-; ? do_error_trap+0x71/0xb0 4,1314,531166601,-; ? usercopy_abort+0x6c/0x80 4,1315,531166610,-; ? exc_invalid_op+0x52/0x80 4,1316,531166622,-; ? usercopy_abort+0x6c/0x80 4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20 4,1318,531166643,-; ? usercopy_abort+0x6c/0x80 4,1319,531166652,-; __check_heap_object+0xe3/0x120 4,1320,531166661,-; check_heap_object+0x185/0x1d0 4,1321,531166670,-; __check_object_size.part.0+0x72/0x150 4,1322,531166679,-; __check_object_size+0x23/0x30 4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2024-58090", "url": "https://ubuntu.com/security/CVE-2024-58090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/core: Prevent rescheduling when interrupts are disabled David reported a warning observed while loop testing kexec jump: Interrupts enabled after irqrouter_resume+0x0/0x50 WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220 kernel_kexec+0xf6/0x180 __do_sys_reboot+0x206/0x250 do_syscall_64+0x95/0x180 The corresponding interrupt flag trace: hardirqs last enabled at (15573): [] __up_console_sem+0x7e/0x90 hardirqs last disabled at (15580): [] __up_console_sem+0x63/0x90 That means __up_console_sem() was invoked with interrupts enabled. Further instrumentation revealed that in the interrupt disabled section of kexec jump one of the syscore_suspend() callbacks woke up a task, which set the NEED_RESCHED flag. A later callback in the resume path invoked cond_resched() which in turn led to the invocation of the scheduler: __cond_resched+0x21/0x60 down_timeout+0x18/0x60 acpi_os_wait_semaphore+0x4c/0x80 acpi_ut_acquire_mutex+0x3d/0x100 acpi_ns_get_node+0x27/0x60 acpi_ns_evaluate+0x1cb/0x2d0 acpi_rs_set_srs_method_data+0x156/0x190 acpi_pci_link_set+0x11c/0x290 irqrouter_resume+0x54/0x60 syscore_resume+0x6a/0x200 kernel_kexec+0x145/0x1c0 __do_sys_reboot+0xeb/0x240 do_syscall_64+0x95/0x180 This is a long standing problem, which probably got more visible with the recent printk changes. Something does a task wakeup and the scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and invokes schedule() from a completely bogus context. The scheduler enables interrupts after context switching, which causes the above warning at the end. Quite some of the code paths in syscore_suspend()/resume() can result in triggering a wakeup with the exactly same consequences. They might not have done so yet, but as they share a lot of code with normal operations it's just a question of time. The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling models. Full preemption is not affected as cond_resched() is disabled and the preemption check preemptible() takes the interrupt disabled flag into account. Cure the problem by adding a corresponding check into cond_resched().", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21875", "url": "https://ubuntu.com/security/CVE-2025-21875", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21877", "url": "https://ubuntu.com/security/CVE-2025-21877", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21878", "url": "https://ubuntu.com/security/CVE-2025-21878", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status without being reset. Due to such an i2c module status, the i2c irq handler keeps getting triggered since the i2c irq handler is registered in the kernel booting process after the bmc machine is doing a warm rebooting. The continuous triggering is stopped by the soft lockup watchdog timer. Disable the interrupt enable bit in the i2c module before calling devm_request_irq to fix this issue since the i2c relative status bit is read-only. Here is the soft lockup log. [ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1] [ 28.183351] Modules linked in: [ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1 [ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 28.208128] pc : __do_softirq+0xb0/0x368 [ 28.212055] lr : __do_softirq+0x70/0x368 [ 28.215972] sp : ffffff8035ebca00 [ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780 [ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0 [ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b [ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff [ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000 [ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2 [ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250 [ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434 [ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198 [ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40 [ 28.290611] Call trace: [ 28.293052] __do_softirq+0xb0/0x368 [ 28.296625] __irq_exit_rcu+0xe0/0x100 [ 28.300374] irq_exit+0x14/0x20 [ 28.303513] handle_domain_irq+0x68/0x90 [ 28.307440] gic_handle_irq+0x78/0xb0 [ 28.311098] call_on_irq_stack+0x20/0x38 [ 28.315019] do_interrupt_handler+0x54/0x5c [ 28.319199] el1_interrupt+0x2c/0x4c [ 28.322777] el1h_64_irq_handler+0x14/0x20 [ 28.326872] el1h_64_irq+0x74/0x78 [ 28.330269] __setup_irq+0x454/0x780 [ 28.333841] request_threaded_irq+0xd0/0x1b4 [ 28.338107] devm_request_threaded_irq+0x84/0x100 [ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0 [ 28.346990] platform_probe+0x6c/0xc4 [ 28.350653] really_probe+0xcc/0x45c [ 28.354227] __driver_probe_device+0x8c/0x160 [ 28.358578] driver_probe_device+0x44/0xe0 [ 28.362670] __driver_attach+0x124/0x1d0 [ 28.366589] bus_for_each_dev+0x7c/0xe0 [ 28.370426] driver_attach+0x28/0x30 [ 28.373997] bus_add_driver+0x124/0x240 [ 28.377830] driver_register+0x7c/0x124 [ 28.381662] __platform_driver_register+0x2c/0x34 [ 28.386362] npcm_i2c_init+0x3c/0x5c [ 28.389937] do_one_initcall+0x74/0x230 [ 28.393768] kernel_init_freeable+0x24c/0x2b4 [ 28.398126] kernel_init+0x28/0x130 [ 28.401614] ret_from_fork+0x10/0x20 [ 28.405189] Kernel panic - not syncing: softlockup: hung tasks [ 28.411011] SMP: stopping secondary CPUs [ 28.414933] Kernel Offset: disabled [ 28.418412] CPU features: 0x00000000,00000802 [ 28.427644] Rebooting in 20 seconds..", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21889", "url": "https://ubuntu.com/security/CVE-2025-21889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Add RCU read lock protection to perf_iterate_ctx() The perf_iterate_ctx() function performs RCU list traversal but currently lacks RCU read lock protection. This causes lockdep warnings when running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y: \tWARNING: suspicious RCU usage \tkernel/events/core.c:8168 RCU-list traversed in non-reader section!! \t Call Trace: \t lockdep_rcu_suspicious \t ? perf_event_addr_filters_apply \t perf_iterate_ctx \t perf_event_exec \t begin_new_exec \t ? load_elf_phdrs \t load_elf_binary \t ? lock_acquire \t ? find_held_lock \t ? bprm_execve \t bprm_execve \t do_execveat_common.isra.0 \t __x64_sys_execve \t do_syscall_64 \t entry_SYSCALL_64_after_hwframe This protection was previously present but was removed in commit bd2756811766 (\"perf: Rewrite core context handling\"). Add back the necessary rcu_read_lock()/rcu_read_unlock() pair around perf_iterate_ctx() call in perf_event_exec(). [ mingo: Use scoped_guard() as suggested by Peter ]", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21898", "url": "https://ubuntu.com/security/CVE-2025-21898", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier.", "cve_priority": "medium", "cve_public_date": "2025-04-01 16:15:00 UTC" }, { "cve": "CVE-2025-21899", "url": "https://ubuntu.com/security/CVE-2025-21899", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.", "cve_priority": "medium", "cve_public_date": "2025-04-01 16:15:00 UTC" }, { "cve": "CVE-2025-21881", "url": "https://ubuntu.com/security/CVE-2025-21881", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB=\"1800000000120000000000000000000095\"], &(0x7f0000000000)='GPL\\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error \"Bad rss-count\". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error \"Bad page state\". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ]", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21895", "url": "https://ubuntu.com/security/CVE-2025-21895", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list Syskaller triggers a warning due to prev_epc->pmu != next_epc->pmu in perf_event_swap_task_ctx_data(). vmcore shows that two lists have the same perf_event_pmu_context, but not in the same order. The problem is that the order of pmu_ctx_list for the parent is impacted by the time when an event/PMU is added. While the order for a child is impacted by the event order in the pinned_groups and flexible_groups. So the order of pmu_ctx_list in the parent and child may be different. To fix this problem, insert the perf_event_pmu_context to its proper place after iteration of the pmu_ctx_list. The follow testcase can trigger above warning: # perf record -e cycles --call-graph lbr -- taskset -c 3 ./a.out & # perf stat -e cpu-clock,cs -p xxx // xxx is the pid of a.out test.c void main() { int count = 0; pid_t pid; printf(\"%d running\\n\", getpid()); sleep(30); printf(\"running\\n\"); pid = fork(); if (pid == -1) { printf(\"fork error\\n\"); return; } if (pid == 0) { while (1) { count++; } } else { while (1) { count++; } } } The testcase first opens an LBR event, so it will allocate task_ctx_data, and then open tracepoint and software events, so the parent context will have 3 different perf_event_pmu_contexts. On inheritance, child ctx will insert the perf_event_pmu_context in another order and the warning will trigger. [ mingo: Tidied up the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-04-01 16:15:00 UTC" }, { "cve": "CVE-2025-21883", "url": "https://ubuntu.com/security/CVE-2025-21883", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer: devlink dev eswitch set $PF1_PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs Trace (minimized): list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330). kernel BUG at lib/list_debug.c:29! RIP: 0010:__list_add_valid_or_report+0xa6/0x100 ice_mbx_init_vf_info+0xa7/0x180 [ice] ice_initialize_vf_entry+0x1fa/0x250 [ice] ice_sriov_configure+0x8d7/0x1520 [ice] ? __percpu_ref_switch_mode+0x1b1/0x5d0 ? __pfx_ice_sriov_configure+0x10/0x10 [ice] Sometimes a KASAN report can be seen instead with a similar stack trace: BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100 VFs are added to this list in ice_mbx_init_vf_info(), but only removed in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is also being called in other places where VFs are being removed (including ice_free_vfs() itself).", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21891", "url": "https://ubuntu.com/security/CVE-2025-21891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 ipv6_addr_type include/net/ipv6.h:555 [inline] ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline] ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651 ip6_route_output include/net/ip6_route.h:93 [inline] ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476 ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671 ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223 __netdev_start_xmit include/linux/netdevice.h:5150 [inline] netdev_start_xmit include/linux/netdevice.h:5159 [inline] xmit_one net/core/dev.c:3735 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343 qdisc_restart net/sched/sch_generic.c:408 [inline] __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416 qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127 net_tx_action+0x78b/0x940 net/core/dev.c:5484 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611 dev_queue_xmit include/linux/netdevice.h:3311 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3132 [inline] packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164 sock_sendmsg_nosec net/socket.c:718 [inline]", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37752", "url": "https://ubuntu.com/security/CVE-2025-37752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2025-21887", "url": "https://ubuntu.com/security/CVE-2025-21887", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... ", "cve_priority": "high", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21861", "url": "https://ubuntu.com/security/CVE-2025-21861", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, rem ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21861", "url": "https://ubuntu.com/security/CVE-2025-21861", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, rem ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21868", "url": "https://ubuntu.com/security/CVE-2025-21868", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: allow small head cache usage with large MAX_SKB_FRAGS values Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30 irq event stamp: 584330 hardirqs last enabled at (584338): [] __up_console_sem+0x77/0xb0 hardirqs last disabled at (584345): [] __up_console_sem+0x5c/0xb0 softirqs last enabled at (583242): [] netlink_insert+0x14d/0x470 softirqs last disabled at (583754): [] netif_napi_add_weight_locked+0x77d/0xba0 on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024) is smaller than GRO_MAX_HEAD. Such built additionally contains the revert of the single page frag cache so that napi_get_frags() ends up using the page frag allocator, triggering the splat. Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb() to select kmalloc() usage for any allocation fitting such cache.", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21869", "url": "https://ubuntu.com/security/CVE-2025-21869", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a (\"powerpc/code-patching: Use temporary mm for Radix MMU\") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 (\"powerpc/code-patching: introduce patch_instructions()\") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21870", "url": "https://ubuntu.com/security/CVE-2025-21870", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alh_data is attached, which could lead to NULL pointer dereference. We could check for this NULL pointer in sof_ipc4_prepare_copier_module() and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai() will miscalculate the ALH device count, causing broken audio. The correct fix is to harden the matching logic by making sure that the 1. widget is a DAI widget - so dai = w->private is valid 2. the dai (and thus the copier) is ALH copier", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21844", "url": "https://ubuntu.com/security/CVE-2025-21844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Add check for next_buffer in receive_encrypted_standard() Add check for the return value of cifs_buf_get() and cifs_small_buf_get() in receive_encrypted_standard() to prevent null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21846", "url": "https://ubuntu.com/security/CVE-2025-21846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current->fs. Reorganize the code so that the the final write happens from the workqueue but with the caller's credentials. This preserves the (strange) permission model and has almost no regression risk. This api should stop to exist though.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21847", "url": "https://ubuntu.com/security/CVE-2025-21847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() The nullity of sps->cstream should be checked similarly as it is done in sof_set_stream_data_offset() function. Assuming that it is not NULL if sps->stream is NULL is incorrect and can lead to NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21848", "url": "https://ubuntu.com/security/CVE-2025-21848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21862", "url": "https://ubuntu.com/security/CVE-2025-21862", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x119/0x179 lib/dump_stack.c:118 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 reset_per_cpu_data+0xe6/0x240 [drop_monitor] net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:651 [inline] __sock_sendmsg+0x157/0x190 net/socket.c:663 ____sys_sendmsg+0x712/0x870 net/socket.c:2378 ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7f3f9815aee9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 If drop_monitor is built as a kernel module, syzkaller may have time to send a netlink NET_DM_CMD_START message during the module loading. This will call the net_dm_monitor_start() function that uses a spinlock that has not yet been initialized. To fix this, let's place resource initialization above the registration of a generic netlink family. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21871", "url": "https://ubuntu.com/security/CVE-2025-21871", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client application which can eventually lead to system hang-up waiting for the closure of the client application. Allow the client process waiting in kernel for supplicant response to be killed rather than indefinitely waiting in an unkillable state. Also, a normal uninterruptible wait should not have resulted in the hung-task watchdog getting triggered, but the endless loop would. This fixes issues observed during system reboot/shutdown when supplicant got hung for some reason or gets crashed/killed which lead to client getting hung in an unkillable state. It in turn lead to system being in hung up state requiring hard power off/on to recover.", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21863", "url": "https://ubuntu.com/security/CVE-2025-21863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2024-58088", "url": "https://ubuntu.com/security/CVE-2024-58088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock when freeing cgroup storage The following commit bc235cdb423a (\"bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]\") first introduced deadlock prevention for fentry/fexit programs attaching on bpf_task_storage helpers. That commit also employed the logic in map free path in its v6 version. Later bpf_cgrp_storage was first introduced in c4bcfb38a95e (\"bpf: Implement cgroup storage available to non-cgroup-attached bpf progs\") which faces the same issue as bpf_task_storage, instead of its busy counter, NULL was passed to bpf_local_storage_map_free() which opened a window to cause deadlock: \t \t\t(acquiring local_storage->lock) \t_raw_spin_lock_irqsave+0x3d/0x50 \tbpf_local_storage_update+0xd1/0x460 \tbpf_cgrp_storage_get+0x109/0x130 \tbpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170 \t? __bpf_prog_enter_recur+0x16/0x80 \tbpf_trampoline_6442485186+0x43/0xa4 \tcgroup_storage_ptr+0x9/0x20 \t\t(holding local_storage->lock) \tbpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160 \tbpf_selem_unlink_storage+0x6f/0x110 \tbpf_local_storage_map_free+0xa2/0x110 \tbpf_map_free_deferred+0x5b/0x90 \tprocess_one_work+0x17c/0x390 \tworker_thread+0x251/0x360 \tkthread+0xd2/0x100 \tret_from_fork+0x34/0x50 \tret_from_fork_asm+0x1a/0x30 \t Progs: - A: SEC(\"fentry/cgroup_storage_ptr\") - cgid (BPF_MAP_TYPE_HASH) \tRecord the id of the cgroup the current task belonging \tto in this hash map, using the address of the cgroup \tas the map key. - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE) \tIf current task is a kworker, lookup the above hash \tmap using function parameter @owner as the key to get \tits corresponding cgroup id which is then used to get \ta trusted pointer to the cgroup through \tbpf_cgroup_from_id(). This trusted pointer can then \tbe passed to bpf_cgrp_storage_get() to finally trigger \tthe deadlock issue. - B: SEC(\"tp_btf/sys_enter\") - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE) \tThe only purpose of this prog is to fill Prog A's \thash map by calling bpf_cgrp_storage_get() for as \tmany userspace tasks as possible. Steps to reproduce: - Run A; - while (true) { Run B; Destroy B; } Fix this issue by passing its busy counter to the free procedure so it can be properly incremented before storage/smap locking.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21853", "url": "https://ubuntu.com/security/CVE-2025-21853", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable permissions. The way we naively do this means we'll hold freeze_mutex for entire duration of all the mm and VMA manipulations, which is completely unnecessary. This can potentially also lead to deadlocks, as reported by syzbot in [0]. So, instead, hold freeze_mutex only during writeability checks, bump (proactively) \"write active\" count for the map, unlock the mutex and proceed with mmap logic. And only if something went wrong during mmap logic, then undo that \"write active\" counter increment. [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21867", "url": "https://ubuntu.com/security/CVE-2025-21867", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for \"if (user_size > size)\" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21864", "url": "https://ubuntu.com/security/CVE-2025-21864", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free. The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point. We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21854", "url": "https://ubuntu.com/security/CVE-2025-21854", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path. Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly: KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127] CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:vsock_read_skb+0x4b/0x90 Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AF_INET and AF_UNIX.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21855", "url": "https://ubuntu.com/security/CVE-2025-21855", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ==================================================================", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21856", "url": "https://ubuntu.com/security/CVE-2025-21856", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must be fixed. The current code directly frees the device after calling device_add() without waiting for other kernel parts to release their references. Thus, a reference could still be held to a struct device, e.g., by sysfs, leading to potential use-after-free issues if a proper release function is not set.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21857", "url": "https://ubuntu.com/security/CVE-2025-21857", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcf_exts_init_ex() which sets exts->actions to NULL and returns 1 to caller fl_change(). fl_change() treats err == 1 as success, calling tcf_exts_validate_ex() which calls tcf_action_init() with exts->actions as argument, where it is dereferenced. Example trace: BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1 RIP: 0010:tcf_action_init+0x1f8/0x2c0 Call Trace: tcf_action_init+0x1f8/0x2c0 tcf_exts_validate_ex+0x175/0x190 fl_change+0x537/0x1120 [cls_flower]", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21858", "url": "https://ubuntu.com/security/CVE-2025-21858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21866", "url": "https://ubuntu.com/security/CVE-2025-21866", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b (\"mm, kasan, kmsan: instrument copy_from/to_kernel_nofault\") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21859", "url": "https://ubuntu.com/security/CVE-2025-21859", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21746", "url": "https://ubuntu.com/security/CVE-2025-21746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: synaptics - fix crash when enabling pass-through port When enabling a pass-through port an interrupt might come before psmouse driver binds to the pass-through port. However synaptics sub-driver tries to access psmouse instance presumably associated with the pass-through port to figure out if only 1 byte of response or entire protocol packet needs to be forwarded to the pass-through port and may crash if psmouse instance has not been attached to the port yet. Fix the crash by introducing open() and close() methods for the port and check if the port is open before trying to access psmouse instance. Because psmouse calls serio_open() only after attaching psmouse instance to serio port instance this prevents the potential crash.", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2024-57977", "url": "https://ubuntu.com/security/CVE-2024-57977", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: memcg: fix soft lockup in the OOM process A soft lockup issue was found in the product with about 56,000 tasks were in the OOM cgroup, it was traversing them when the soft lockup was triggered. watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066] CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G Hardware name: Huawei Cloud OpenStack Nova, BIOS RIP: 0010:console_unlock+0x343/0x540 RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247 RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040 R10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0 R13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vprintk_emit+0x193/0x280 printk+0x52/0x6e dump_task+0x114/0x130 mem_cgroup_scan_tasks+0x76/0x100 dump_header+0x1fe/0x210 oom_kill_process+0xd1/0x100 out_of_memory+0x125/0x570 mem_cgroup_out_of_memory+0xb5/0xd0 try_charge+0x720/0x770 mem_cgroup_try_charge+0x86/0x180 mem_cgroup_try_charge_delay+0x1c/0x40 do_anonymous_page+0xb5/0x390 handle_mm_fault+0xc4/0x1f0 This is because thousands of processes are in the OOM cgroup, it takes a long time to traverse all of them. As a result, this lead to soft lockup in the OOM process. To fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks' function per 1000 iterations. For global OOM, call 'touch_softlockup_watchdog' per 1000 iterations to avoid this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21712", "url": "https://ubuntu.com/security/CVE-2025-21712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime After commit ec6bb299c7c3 (\"md/md-bitmap: add 'sync_size' into struct md_bitmap_stats\"), following panic is reported: Oops: general protection fault, probably for non-canonical address RIP: 0010:bitmap_get_stats+0x2b/0xa0 Call Trace: md_seq_show+0x2d2/0x5b0 seq_read_iter+0x2b9/0x470 seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6c/0xf0 do_syscall_64+0x82/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Root cause is that bitmap_get_stats() can be called at anytime if mddev is still there, even if bitmap is destroyed, or not fully initialized. Deferenceing bitmap in this case can crash the kernel. Meanwhile, the above commit start to deferencing bitmap->storage, make the problem easier to trigger. Fix the problem by protecting bitmap_get_stats() with bitmap_info.mutex.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58093", "url": "https://ubuntu.com/security/CVE-2024-58093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix link state exit during switch upstream function removal Before 456d8aa37d0f (\"PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free\"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed. That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after. After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link. That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports. The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order. On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed -- before the parent link is obsolete, but after all subordinate links are gone. [kwilczynski: commit log]", "cve_priority": "low", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2025-37797", "url": "https://ubuntu.com/security/CVE-2025-37797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.", "cve_priority": "medium", "cve_public_date": "2025-05-02 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2121515, 2121671, 1786013, 2111521, 2115393, 2118499, 2117123, 2118965, 2117716, 2115447, 2119458, 2118927, 2117533, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2120405, 2120330, 2120330, 2117691, 1786013, 2115209, 2116072, 2115652, 2115068, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2114785, 2114450, 2114258, 2115616, 2114849, 2117494 ], "changes": [ { "cves": [], "log": [ "", " * Linux refcount imbalance in af_unix subsystem (LP: #2121515)", " - SAUCE: af_unix: Fix GC compatibility with upstream OOB refcount changes", "" ], "package": "linux", "version": "6.8.0-84.84", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2121515 ], "author": "Stefan Bader ", "date": "Fri, 05 Sep 2025 13:33:50 +0200" }, { "cves": [ { "cve": "CVE-2025-21872", "url": "https://ubuntu.com/security/CVE-2025-21872", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: efi: Don't map the entire mokvar table to determine its size Currently, when validating the mokvar table, we (re)map the entire table on each iteration of the loop, adding space as we discover new entries. If the table grows over a certain size, this fails due to limitations of early_memmap(), and we get a failure and traceback: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220 ... Call Trace: ? __early_ioremap+0xef/0x220 ? __warn.cold+0x93/0xfa ? __early_ioremap+0xef/0x220 ? report_bug+0xff/0x140 ? early_fixup_exception+0x5d/0xb0 ? early_idt_handler_common+0x2f/0x3a ? __early_ioremap+0xef/0x220 ? efi_mokvar_table_init+0xce/0x1d0 ? setup_arch+0x864/0xc10 ? start_kernel+0x6b/0xa10 ? x86_64_start_reservations+0x24/0x30 ? x86_64_start_kernel+0xed/0xf0 ? common_startup_64+0x13e/0x141 ---[ end trace 0000000000000000 ]--- mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187. Mapping the entire structure isn't actually necessary, as we don't ever need more than one entry header mapped at once. Changes efi_mokvar_table_init() to only map each entry header, not the entire table, when determining the table size. Since we're not mapping any data past the variable name, it also changes the code to enforce that each variable name is NUL terminated, rather than attempting to verify it in place.", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21880", "url": "https://ubuntu.com/security/CVE-2025-21880", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/userptr: fix EFAULT handling Currently we treat EFAULT from hmm_range_fault() as a non-fatal error when called from xe_vm_userptr_pin() with the idea that we want to avoid killing the entire vm and chucking an error, under the assumption that the user just did an unmap or something, and has no intention of actually touching that memory from the GPU. At this point we have already zapped the PTEs so any access should generate a page fault, and if the pin fails there also it will then become fatal. However it looks like it's possible for the userptr vma to still be on the rebind list in preempt_rebind_work_func(), if we had to retry the pin again due to something happening in the caller before we did the rebind step, but in the meantime needing to re-validate the userptr and this time hitting the EFAULT. This explains an internal user report of hitting: [ 191.738349] WARNING: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xe_res_cursor.h:158 xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738551] Workqueue: xe-ordered-wq preempt_rebind_work_func [xe] [ 191.738616] RIP: 0010:xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738690] Call Trace: [ 191.738692] [ 191.738694] ? show_regs+0x69/0x80 [ 191.738698] ? __warn+0x93/0x1a0 [ 191.738703] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738759] ? report_bug+0x18f/0x1a0 [ 191.738764] ? handle_bug+0x63/0xa0 [ 191.738767] ? exc_invalid_op+0x19/0x70 [ 191.738770] ? asm_exc_invalid_op+0x1b/0x20 [ 191.738777] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738834] ? ret_from_fork_asm+0x1a/0x30 [ 191.738849] bind_op_prepare+0x105/0x7b0 [xe] [ 191.738906] ? dma_resv_reserve_fences+0x301/0x380 [ 191.738912] xe_pt_update_ops_prepare+0x28c/0x4b0 [xe] [ 191.738966] ? kmemleak_alloc+0x4b/0x80 [ 191.738973] ops_execute+0x188/0x9d0 [xe] [ 191.739036] xe_vm_rebind+0x4ce/0x5a0 [xe] [ 191.739098] ? trace_hardirqs_on+0x4d/0x60 [ 191.739112] preempt_rebind_work_func+0x76f/0xd00 [xe] Followed by NPD, when running some workload, since the sg was never actually populated but the vma is still marked for rebind when it should be skipped for this special EFAULT case. This is confirmed to fix the user report. v2 (MattB): - Move earlier. v3 (MattB): - Update the commit message to make it clear that this indeed fixes the issue. (cherry picked from commit 6b93cb98910c826c2e2004942f8b060311e43618)", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21890", "url": "https://ubuntu.com/security/CVE-2025-21890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: fix checksums set in idpf_rx_rsc() idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header is not set yet. This triggers the following warning for CONFIG_DEBUG_NET=y builds. DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb)) [ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth [ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697 [ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN [ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748) [ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261687] ? report_bug (lib/bug.c:?) [ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285) [ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309) [ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf [ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf [ 69.261712] __napi_poll (net/core/dev.c:7194) [ 69.261716] net_rx_action (net/core/dev.c:7265) [ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293) [ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288) [ 69.261726] handle_softirqs (kernel/softirq.c:561)", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21885", "url": "https://ubuntu.com/security/CVE-2025-21885", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers While using nvme target with use_srq on, below kernel panic is noticed. [ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514) [ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI .. [ 566.393799] [ 566.393807] ? __die_body+0x1a/0x60 [ 566.393823] ? die+0x38/0x60 [ 566.393835] ? do_trap+0xe4/0x110 [ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393881] ? do_error_trap+0x7c/0x120 [ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393911] ? exc_divide_error+0x34/0x50 [ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393939] ? asm_exc_divide_error+0x16/0x20 [ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re] [ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re] [ 566.394057] ? srso_return_thunk+0x5/0x5f [ 566.394068] ? __init_swait_queue_head+0x4a/0x60 [ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core] [ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma] [ 566.394174] ? lock_release+0x22c/0x3f0 [ 566.394187] ? srso_return_thunk+0x5/0x5f Page size and shift info is set only for the user space SRQs. Set page size and page shift for kernel space SRQs also.", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21888", "url": "https://ubuntu.com/security/CVE-2025-21888", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a WARN during dereg_mr for DM type Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not mapped. This results in a WARN [1], as shown below. The issue is resolved by properly accounting for the DM type and ensuring the correct branch is selected in mlx5_free_priv_descs(). [1] WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90 Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00 RSP: 0018:ffffc90001913a10 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __warn+0x84/0x190 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0xf8/0x1c0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 dma_unmap_page_attrs+0xe6/0x290 mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib] __mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f537adaf17b Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270 R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190 R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450 ", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21892", "url": "https://ubuntu.com/security/CVE-2025-21892", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix the recovery flow of the UMR QP This patch addresses an issue in the recovery flow of the UMR QP, ensuring tasks do not get stuck, as highlighted by the call trace [1]. During recovery, before transitioning the QP to the RESET state, the software must wait for all outstanding WRs to complete. Failing to do so can cause the firmware to skip sending some flushed CQEs with errors and simply discard them upon the RESET, as per the IB specification. This race condition can result in lost CQEs and tasks becoming stuck. To resolve this, the patch sends a final WR which serves only as a barrier before moving the QP state to RESET. Once a CQE is received for that final WR, it guarantees that no outstanding WRs remain, making it safe to transition the QP to RESET and subsequently back to RTS, restoring proper functionality. Note: For the barrier WR, we simply reuse the failed and ready WR. Since the QP is in an error state, it will only receive IB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don't care about its status. [1] INFO: task rdma_resource_l:1922 blocked for more than 120 seconds. Tainted: G W 6.12.0-rc7+ #1626 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369 flags:0x00004004 Call Trace: __schedule+0x420/0xd30 schedule+0x47/0x130 schedule_timeout+0x280/0x300 ? mark_held_locks+0x48/0x80 ? lockdep_hardirqs_on_prepare+0xe5/0x1a0 wait_for_completion+0x75/0x130 mlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib] ? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib] mlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib] __mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? __lock_acquire+0x64e/0x2080 ? mark_held_locks+0x48/0x80 ? find_held_lock+0x2d/0xa0 ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? __fget_files+0xc3/0x1b0 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f99c918b17b RSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX: 00007f99c918b17b RDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09: 000000000000bd7e R10: 00007f99c94c1c70 R11: 0000000000000246 R12: 00007ffc766d0530 R13: 000000000000001c R14: 0000000040246a80 R15: 0000000000000000 ", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21873", "url": "https://ubuntu.com/security/CVE-2025-21873", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: bsg: Fix crash when arpmb command fails If the device doesn't support arpmb we'll crash due to copying user data in bsg_transport_sg_io_fn(). In the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not set the job's reply_len. Memory crash backtrace: 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22 4,1308,531166555,-;Call Trace: 4,1309,531166559,-; 4,1310,531166565,-; ? show_regs+0x6d/0x80 4,1311,531166575,-; ? die+0x37/0xa0 4,1312,531166583,-; ? do_trap+0xd4/0xf0 4,1313,531166593,-; ? do_error_trap+0x71/0xb0 4,1314,531166601,-; ? usercopy_abort+0x6c/0x80 4,1315,531166610,-; ? exc_invalid_op+0x52/0x80 4,1316,531166622,-; ? usercopy_abort+0x6c/0x80 4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20 4,1318,531166643,-; ? usercopy_abort+0x6c/0x80 4,1319,531166652,-; __check_heap_object+0xe3/0x120 4,1320,531166661,-; check_heap_object+0x185/0x1d0 4,1321,531166670,-; __check_object_size.part.0+0x72/0x150 4,1322,531166679,-; __check_object_size+0x23/0x30 4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2024-58090", "url": "https://ubuntu.com/security/CVE-2024-58090", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/core: Prevent rescheduling when interrupts are disabled David reported a warning observed while loop testing kexec jump: Interrupts enabled after irqrouter_resume+0x0/0x50 WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220 kernel_kexec+0xf6/0x180 __do_sys_reboot+0x206/0x250 do_syscall_64+0x95/0x180 The corresponding interrupt flag trace: hardirqs last enabled at (15573): [] __up_console_sem+0x7e/0x90 hardirqs last disabled at (15580): [] __up_console_sem+0x63/0x90 That means __up_console_sem() was invoked with interrupts enabled. Further instrumentation revealed that in the interrupt disabled section of kexec jump one of the syscore_suspend() callbacks woke up a task, which set the NEED_RESCHED flag. A later callback in the resume path invoked cond_resched() which in turn led to the invocation of the scheduler: __cond_resched+0x21/0x60 down_timeout+0x18/0x60 acpi_os_wait_semaphore+0x4c/0x80 acpi_ut_acquire_mutex+0x3d/0x100 acpi_ns_get_node+0x27/0x60 acpi_ns_evaluate+0x1cb/0x2d0 acpi_rs_set_srs_method_data+0x156/0x190 acpi_pci_link_set+0x11c/0x290 irqrouter_resume+0x54/0x60 syscore_resume+0x6a/0x200 kernel_kexec+0x145/0x1c0 __do_sys_reboot+0xeb/0x240 do_syscall_64+0x95/0x180 This is a long standing problem, which probably got more visible with the recent printk changes. Something does a task wakeup and the scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and invokes schedule() from a completely bogus context. The scheduler enables interrupts after context switching, which causes the above warning at the end. Quite some of the code paths in syscore_suspend()/resume() can result in triggering a wakeup with the exactly same consequences. They might not have done so yet, but as they share a lot of code with normal operations it's just a question of time. The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling models. Full preemption is not affected as cond_resched() is disabled and the preemption check preemptible() takes the interrupt disabled flag into account. Cure the problem by adding a corresponding check into cond_resched().", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21875", "url": "https://ubuntu.com/security/CVE-2025-21875", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21877", "url": "https://ubuntu.com/security/CVE-2025-21877", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21878", "url": "https://ubuntu.com/security/CVE-2025-21878", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status without being reset. Due to such an i2c module status, the i2c irq handler keeps getting triggered since the i2c irq handler is registered in the kernel booting process after the bmc machine is doing a warm rebooting. The continuous triggering is stopped by the soft lockup watchdog timer. Disable the interrupt enable bit in the i2c module before calling devm_request_irq to fix this issue since the i2c relative status bit is read-only. Here is the soft lockup log. [ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1] [ 28.183351] Modules linked in: [ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1 [ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 28.208128] pc : __do_softirq+0xb0/0x368 [ 28.212055] lr : __do_softirq+0x70/0x368 [ 28.215972] sp : ffffff8035ebca00 [ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780 [ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0 [ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b [ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff [ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000 [ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2 [ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250 [ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434 [ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198 [ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40 [ 28.290611] Call trace: [ 28.293052] __do_softirq+0xb0/0x368 [ 28.296625] __irq_exit_rcu+0xe0/0x100 [ 28.300374] irq_exit+0x14/0x20 [ 28.303513] handle_domain_irq+0x68/0x90 [ 28.307440] gic_handle_irq+0x78/0xb0 [ 28.311098] call_on_irq_stack+0x20/0x38 [ 28.315019] do_interrupt_handler+0x54/0x5c [ 28.319199] el1_interrupt+0x2c/0x4c [ 28.322777] el1h_64_irq_handler+0x14/0x20 [ 28.326872] el1h_64_irq+0x74/0x78 [ 28.330269] __setup_irq+0x454/0x780 [ 28.333841] request_threaded_irq+0xd0/0x1b4 [ 28.338107] devm_request_threaded_irq+0x84/0x100 [ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0 [ 28.346990] platform_probe+0x6c/0xc4 [ 28.350653] really_probe+0xcc/0x45c [ 28.354227] __driver_probe_device+0x8c/0x160 [ 28.358578] driver_probe_device+0x44/0xe0 [ 28.362670] __driver_attach+0x124/0x1d0 [ 28.366589] bus_for_each_dev+0x7c/0xe0 [ 28.370426] driver_attach+0x28/0x30 [ 28.373997] bus_add_driver+0x124/0x240 [ 28.377830] driver_register+0x7c/0x124 [ 28.381662] __platform_driver_register+0x2c/0x34 [ 28.386362] npcm_i2c_init+0x3c/0x5c [ 28.389937] do_one_initcall+0x74/0x230 [ 28.393768] kernel_init_freeable+0x24c/0x2b4 [ 28.398126] kernel_init+0x28/0x130 [ 28.401614] ret_from_fork+0x10/0x20 [ 28.405189] Kernel panic - not syncing: softlockup: hung tasks [ 28.411011] SMP: stopping secondary CPUs [ 28.414933] Kernel Offset: disabled [ 28.418412] CPU features: 0x00000000,00000802 [ 28.427644] Rebooting in 20 seconds..", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21889", "url": "https://ubuntu.com/security/CVE-2025-21889", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Add RCU read lock protection to perf_iterate_ctx() The perf_iterate_ctx() function performs RCU list traversal but currently lacks RCU read lock protection. This causes lockdep warnings when running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y: \tWARNING: suspicious RCU usage \tkernel/events/core.c:8168 RCU-list traversed in non-reader section!! \t Call Trace: \t lockdep_rcu_suspicious \t ? perf_event_addr_filters_apply \t perf_iterate_ctx \t perf_event_exec \t begin_new_exec \t ? load_elf_phdrs \t load_elf_binary \t ? lock_acquire \t ? find_held_lock \t ? bprm_execve \t bprm_execve \t do_execveat_common.isra.0 \t __x64_sys_execve \t do_syscall_64 \t entry_SYSCALL_64_after_hwframe This protection was previously present but was removed in commit bd2756811766 (\"perf: Rewrite core context handling\"). Add back the necessary rcu_read_lock()/rcu_read_unlock() pair around perf_iterate_ctx() call in perf_event_exec(). [ mingo: Use scoped_guard() as suggested by Peter ]", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21898", "url": "https://ubuntu.com/security/CVE-2025-21898", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier.", "cve_priority": "medium", "cve_public_date": "2025-04-01 16:15:00 UTC" }, { "cve": "CVE-2025-21899", "url": "https://ubuntu.com/security/CVE-2025-21899", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.", "cve_priority": "medium", "cve_public_date": "2025-04-01 16:15:00 UTC" }, { "cve": "CVE-2025-21881", "url": "https://ubuntu.com/security/CVE-2025-21881", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB=\"1800000000120000000000000000000095\"], &(0x7f0000000000)='GPL\\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error \"Bad rss-count\". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error \"Bad page state\". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ]", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21895", "url": "https://ubuntu.com/security/CVE-2025-21895", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list Syskaller triggers a warning due to prev_epc->pmu != next_epc->pmu in perf_event_swap_task_ctx_data(). vmcore shows that two lists have the same perf_event_pmu_context, but not in the same order. The problem is that the order of pmu_ctx_list for the parent is impacted by the time when an event/PMU is added. While the order for a child is impacted by the event order in the pinned_groups and flexible_groups. So the order of pmu_ctx_list in the parent and child may be different. To fix this problem, insert the perf_event_pmu_context to its proper place after iteration of the pmu_ctx_list. The follow testcase can trigger above warning: # perf record -e cycles --call-graph lbr -- taskset -c 3 ./a.out & # perf stat -e cpu-clock,cs -p xxx // xxx is the pid of a.out test.c void main() { int count = 0; pid_t pid; printf(\"%d running\\n\", getpid()); sleep(30); printf(\"running\\n\"); pid = fork(); if (pid == -1) { printf(\"fork error\\n\"); return; } if (pid == 0) { while (1) { count++; } } else { while (1) { count++; } } } The testcase first opens an LBR event, so it will allocate task_ctx_data, and then open tracepoint and software events, so the parent context will have 3 different perf_event_pmu_contexts. On inheritance, child ctx will insert the perf_event_pmu_context in another order and the warning will trigger. [ mingo: Tidied up the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-04-01 16:15:00 UTC" }, { "cve": "CVE-2025-21883", "url": "https://ubuntu.com/security/CVE-2025-21883", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer: devlink dev eswitch set $PF1_PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs Trace (minimized): list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330). kernel BUG at lib/list_debug.c:29! RIP: 0010:__list_add_valid_or_report+0xa6/0x100 ice_mbx_init_vf_info+0xa7/0x180 [ice] ice_initialize_vf_entry+0x1fa/0x250 [ice] ice_sriov_configure+0x8d7/0x1520 [ice] ? __percpu_ref_switch_mode+0x1b1/0x5d0 ? __pfx_ice_sriov_configure+0x10/0x10 [ice] Sometimes a KASAN report can be seen instead with a similar stack trace: BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100 VFs are added to this list in ice_mbx_init_vf_info(), but only removed in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is also being called in other places where VFs are being removed (including ice_free_vfs() itself).", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2025-21891", "url": "https://ubuntu.com/security/CVE-2025-21891", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 ipv6_addr_type include/net/ipv6.h:555 [inline] ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline] ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651 ip6_route_output include/net/ip6_route.h:93 [inline] ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476 ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671 ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223 __netdev_start_xmit include/linux/netdevice.h:5150 [inline] netdev_start_xmit include/linux/netdevice.h:5159 [inline] xmit_one net/core/dev.c:3735 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343 qdisc_restart net/sched/sch_generic.c:408 [inline] __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416 qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127 net_tx_action+0x78b/0x940 net/core/dev.c:5484 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611 dev_queue_xmit include/linux/netdevice.h:3311 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3132 [inline] packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164 sock_sendmsg_nosec net/socket.c:718 [inline]", "cve_priority": "medium", "cve_public_date": "2025-03-27 15:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37752", "url": "https://ubuntu.com/security/CVE-2025-37752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2025-21887", "url": "https://ubuntu.com/security/CVE-2025-21887", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... ", "cve_priority": "high", "cve_public_date": "2025-03-27 15:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-81.81 -proposed tracker (LP: #2121671)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", "", " * nvme no longer detected on boot after upgrade to 6.8.0-60 (LP: #2111521)", " - SAUCE: PCI: Disable RRS polling for Intel SSDPE2KX020T8 nvme", "", " * No IP Address assigned after hot-plugging Ethernet cable on HP Platform", " (LP: #2115393)", " - Revert \"e1000e: change k1 configuration on MTP and later platforms\"", "", " * minimal kernel lacks modules for blk disk in arm64 openstack environments", " where config_drive is required (LP: #2118499)", " - [Config] Enable SYM53C8XX_2 on arm64", "", " * rcu: Eliminate deadlocks involving do_exit() and RCU tasks (LP: #2117123)", " - rcu-tasks: Initialize callback lists at rcu_init() time", " - rcu-tasks: Maintain lists to eliminate RCU-tasks/do_exit() deadlocks", " - rcu-tasks: Eliminate deadlocks involving do_exit() and RCU tasks", " - rcu-tasks: Maintain real-time response in rcu_tasks_postscan()", "", " * BPF header file in wrong location (LP: #2118965)", " - [Packaging] Install bpf header to correct location", "", " * i915: support ARL-H gpu (LP: #2117716)", " - drm/i915: Add additional ARL PCI IDs", " - drm/i915/mtl: Add fake PCH for Meteor Lake", " - drm/i915/mtl: Wake GT before sending H2G message", " - drm/i915/xelpg: Add workaround 14019877138", " - drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+", " - drm/i915/display: correct dual pps handling for MTL_PCH+", "", " * Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux", " (LP: #2115447)", " - SAUCE: fs/ceph, selinux: fix NULL pointer dereference on CephFS write", " with SELinux in permissive mode", "", " * Noble update: upstream stable patchset 2025-08-04 (LP: #2119458)", " - clockevents/drivers/i8253: Fix stop sequence for timer 0", " - sched/isolation: Prevent boot crash when the boot CPU is nohz_full", " - hrtimer: Use and report correct timerslack values for realtime tasks", " - mm: add nommu variant of vm_insert_pages()", " - io_uring: get rid of remap_pfn_range() for mapping rings/sqes", " - io_uring: don't attempt to mmap larger than what the user asks for", " - io_uring: fix corner case forgetting to vunmap", " - io_uring: use vmap() for ring mapping", " - io_uring: unify io_pin_pages()", " - io_uring/kbuf: vmap pinned buffer ring", " - io_uring/kbuf: use vm_insert_pages() for mmap'ed pbuf ring", " - io_uring: use unpin_user_pages() where appropriate", " - io_uring: fix error pbuf checking", " - rust: Disallow BTF generation with Rust + LTO", " - rust: init: fix `Zeroable` implementation for `Option>` and", " `Option>`", " - lib/buildid: Handle memfd_secret() files in build_id_parse()", " - mm: split critical region in remap_file_pages() and invoke LSMs in", " between", " - stmmac: loongson: Pass correct arg to PCI function", " - rust: lockdep: Remove support for dynamically allocated LockClassKeys", " - netfilter: nf_tables: allow clone callbacks to sleep", " - drm/amd/display: should support dmub hw lock on Replay", " - drm/amd/display: Use HW lock mgr for PSR1 when only one eDP", " - KVM: arm64: Calculate cptr_el2 traps on activating traps", " - KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state", " - KVM: arm64: Remove host FPSIMD saving for non-protected KVM", " - KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN", " - KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN", " - KVM: arm64: Refactor exit handlers", " - KVM: arm64: Eagerly switch ZCR_EL{1,2}", " - Revert \"sched/core: Reduce cost of sched_move_task when config", " autogroup\"", " - wifi: iwlwifi: support BIOS override for 5G9 in CA also in LARI version", " 8", " - netfilter: nft_counter: Use u64_stats_t for statistic.", " - firmware: imx-scu: fix OF node leak in .probe()", " - arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply", " - arm64: dts: rockchip: remove supports-cqe from rk3588 jaguar", " - xfrm: fix tunnel mode TX datapath in packet offload mode", " - xfrm_output: Force software GSO only in tunnel mode", " - soc: imx8m: Remove global soc_uid", " - soc: imx8m: Use devm_* to simplify probe failure handling", " - soc: imx8m: Unregister cpufreq and soc dev in cleanup path", " - ARM: dts: bcm2711: Fix xHCI power-domain", " - ARM: dts: bcm2711: PL011 UARTs are actually r1p5", " - arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1", " - RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx", " - RDMA/mlx5: Handle errors returned from mlx5r_ib_rate()", " - ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP", " - ARM: dts: bcm2711: Don't mark timer regs unconfigured", " - dma-mapping: fix missing clear bdr in check_ram_in_range_map()", " - RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path", " - RDMA/hns: Fix soft lockup during bt pages loop", " - RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()", " - RDMA/hns: Fix a missing rollback in error path of", " hns_roce_create_qp_common()", " - RDMA/hns: Fix missing xa_destroy()", " - RDMA/hns: Fix wrong value of max_sge_rd", " - Bluetooth: Fix error code in chan_alloc_skb_cb()", " - Bluetooth: hci_event: Fix connection regression between LE and non-LE", " adapters", " - accel/qaic: Fix possible data corruption in BOs > 2G", " - ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX", " - ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().", " - ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().", " - devlink: fix xa_alloc_cyclic() error handling", " - dpll: fix xa_alloc_cyclic() error handling", " - gpu: host1x: Do not assume that a NULL domain means no DMA IOMMU", " - net: atm: fix use after free in lec_send()", " - net: lwtunnel: fix recursion loops", " - net: ipv6: ioam6: fix lwtunnel_output() loop", " - libfs: Fix duplicate directory entry in offset_dir_lookup", " - net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES", " - i2c: omap: fix IRQ storms", " - net: mana: Support holes in device list reply msg", " - can: rcar_canfd: Fix page entries in the AFL list", " - can: ucan: fix out of bound read in strscpy() source", " - can: flexcan: only change CAN state when link up in system PM", " - can: flexcan: disable transceiver during system PM", " - drm/xe: Fix exporting xe buffers multiple times", " - drm/v3d: Don't run jobs that have errors flagged in its fence", " - riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function", " definitions", " - regulator: dummy: force synchronous probing", " - regulator: check that dummy regulator has been probed before using it", " - accel/qaic: Fix integer overflow in qaic_validate_req()", " - arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to", " sound card", " - arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to", " sound card", " - arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou", " - mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops", " - mmc: atmel-mci: Add missing clk_disable_unprepare()", " - mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT", " - mm/migrate: fix shmem xarray update during migration", " - proc: fix UAF in proc_get_inode()", " - ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6", " - ARM: shmobile: smp: Enforce shmobile_smp_* alignment", " - efi/libstub: Avoid physical address 0x0 when doing random allocation", " - xsk: fix an integer overflow in xp_create_and_assign_umem()", " - batman-adv: Ignore own maximum aggregation size during RX", " - soc: qcom: pdr: Fix the potential deadlock", " - pmdomain: amlogic: fix T7 ISP secpower", " - drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()", " - drm/sched: Fix fence reference count leak", " - drm/amd/display: Fix message for support_edp0_on_dp1", " - drm/amd/pm: add unique_id for gfx12", " - drm/amdgpu: Remove JPEG from vega and carrizo video caps", " - drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size", " - drm/amdgpu: Fix JPEG video caps max size for navi1x and raven", " - ksmbd: fix incorrect validation for num_aces field of smb_acl", " - KVM: arm64: Mark some header functions as inline", " - arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S", " - mptcp: Fix data stream corruption in the address announcement", " - net: lwtunnel: disable BHs when required", " - Upstream stable to v6.6.84, v6.6.85, v6.12.21", "", " * Noble update: upstream stable patchset 2025-07-28 (LP: #2118927)", " - drm/i915/xe2lpd: Move D2D enable/disable", " - drm/i915/ddi: Fix HDMI port width programming in DDI_BUF_CTL", " - ibmvnic: Perform tx CSO during send scrq direct", " - ibmvnic: Inspect header requirements before using scrq direct", " - drm/amdgpu: Check extended configuration space register when system uses", " large bar", " - drm/amdgpu: disable BAR resize on Dell G5 SE", " - net: enetc: Remove setting of RX software timestamp", " - net: enetc: Replace ifdef with IS_ENABLED", " - net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC", " - NFS: O_DIRECT writes must check and adjust the file length", " - riscv: cacheinfo: remove the useless input parameter (node) of", " ci_leaf_init()", " - riscv: cacheinfo: initialize cacheinfo's level and type from ACPI PPTT", " - riscv: Prevent a bad reference count on CPU nodes", " - riscv: cacheinfo: Use of_property_present() for non-boolean properties", " - mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear()", " - arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes", " - drm/i915/dsi: Use TRANS_DDI_FUNC_CTL's own port width macro", " - x86/mm: Don't disable PCID when INVLPG has been fixed by microcode", " - ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr", " - x86/boot: Sanitize boot params before parsing command line", " - fbdev: hyperv_fb: iounmap() the correct memory when removing a device", " - pinctrl: bcm281xx: Fix incorrect regmap max_registers value", " - pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw", " - netfilter: nft_ct: Use __refcount_inc() for per-CPU", " nft_ct_pcpu_template.", " - ice: fix memory leak in aRFS after reset", " - netfilter: nf_conncount: garbage collection is not skipped when jiffies", " wrap around", " - netfilter: nf_tables: make destruction work queue pernet", " - sched: address a potential NULL pointer dereference in the GRED", " scheduler.", " - wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms", " - wifi: mac80211: don't queue sdata::work for a non-running sdata", " - wifi: cfg80211: cancel wiphy_work before freeing wiphy", " - Bluetooth: hci_event: Fix enabling passive scanning", " - net/mlx5: Fill out devlink dev info only for PFs", " - net: dsa: mv88e6xxx: Verify after ATU Load ops", " - net: mctp i3c: Copy headers if cloned", " - net: mctp i2c: Copy headers if cloned", " - netpoll: hold rcu read lock in __netpoll_send_skb()", " - drm/hyperv: Fix address space leak when Hyper-V DRM device is removed", " - fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs", " - fbdev: hyperv_fb: Simplify hvfb_putmem", " - fbdev: hyperv_fb: Allow graceful removal of framebuffer", " - Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()", " - net/mlx5: handle errors in mlx5_chains_create_table()", " - eth: bnxt: fix truesize for mb-xdp-pass case", " - eth: bnxt: do not update checksum in bnxt_xdp_build_skb()", " - net: switchdev: Convert blocking notification chain to a raw one", " - net: mctp: unshare packets when reassembling", " - bonding: fix incorrect MAC address setting to receive NS messages", " - netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in", " insert_tree()", " - ipvs: prevent integer overflow in do_ip_vs_get_ctl()", " - netfilter: nft_exthdr: fix offset with ipv4_find_option()", " - net: openvswitch: remove misbehaving actions length check", " - net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch", " - net/mlx5: Bridge, fix the crash caused by LAG state check", " - net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed", " devices", " - nvme-fc: go straight to connecting state when initializing", " - nvme-fc: do not ignore connectivity loss during connecting", " - hrtimers: Mark is_migration_base() with __always_inline", " - powercap: call put_device() on an error path in", " powercap_register_control_type()", " - futex: Pass in task to futex_queue()", " - sched/debug: Provide slice length for fair tasks", " - platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show()", " - scsi: core: Use GFP_NOIO to avoid circular locking dependency", " - scsi: ufs: core: Fix error return with query response", " - scsi: qla1280: Fix kernel oops when debug level > 2", " - ACPI: resource: IRQ override for Eluktronics MECH-17", " - smb: client: fix noisy when tree connecting to DFS interlink targets", " - alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support", " - vboxsf: fix building with GCC 15", " - HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell", " - HID: intel-ish-hid: Send clock sync message immediately after reset", " - HID: ignore non-functional sensor in HP 5MP Camera", " - HID: hid-steam: Fix issues with disabling both gamepad mode and lizard", " mode", " - usb: phy: generic: Use proper helper for property detection", " - HID: topre: Fix n-key rollover on Realforce R3S TKL boards", " - HID: hid-apple: Apple Magic Keyboard a3203 USB-C support", " - HID: apple: fix up the F6 key on the Omoton KB066 keyboard", " - objtool: Ignore dangling jump table entries", " - sched: Clarify wake_up_q()'s write to task->wake_q.next", " - platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e", " - platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles", " - platform/x86: int3472: Use str_high_low()", " - platform/x86: int3472: Use GPIO_LOOKUP() macro", " - platform/x86: int3472: Use correct type for \"polarity\", call it", " gpio_flags", " - platform/x86: int3472: Call \"reset\" GPIO \"enable\" for INT347E", " - s390/cio: Fix CHPID \"configure\" attribute caching", " - thermal/cpufreq_cooling: Remove structure member documentation", " - LoongArch: KVM: Set host with kernel mode when switch to VM mode", " - arm64: amu: Delay allocating cpumask for AMU FIE support", " - Xen/swiotlb: mark xen_swiotlb_fixup() __init", " - Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd", " - selftests/bpf: Fix invalid flag of recv()", " - ASoC: Intel: sof_sdw: Add lookup of quirk using PCI subsystem ID", " - ASoC: simple-card-utils.c: add missing dlc->of_node", " - ALSA: hda/realtek: Limit mic boost on Positivo ARN50", " - ASoC: rsnd: indicate unsupported clock rate", " - ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()", " - ASoC: rsnd: adjust convert rate limitation", " - ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.", " - ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module", " - ASoC: SOF: amd: Add post_fw_run_delay ACP quirk", " - ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE", " - net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors", " - io-wq: backoff when retrying worker creation", " - nvme-pci: quirk Acer FA100 for non-uniqueue identifiers", " - nvmet-rdma: recheck queue state is LIVE in state lock in recv done", " - apple-nvme: Release power domains when probe fails", " - cifs: Treat unhandled directory name surrogate reparse points as mount", " directory nodes", " - sctp: Fix undefined behavior in left shift operation", " - nvme: only allow entering LIVE from CONNECTING state", " - phy: ti: gmii-sel: Simplify with dev_err_probe()", " - phy: ti: gmii-sel: Do not use syscon helper to build regmap", " - ASoC: tas2770: Fix volume scale", " - ASoC: tas2764: Fix power control mask", " - ASoC: tas2764: Set the SDOUT polarity correctly", " - fuse: don't truncate cached, mutated symlink", " - drm/vkms: Round fixp2int conversion in lerp_u16", " - perf/x86/intel: Use better start period for frequency mode", " - x86/irq: Define trace events conditionally", " - mptcp: safety check before fallback", " - drm/nouveau: Do not override forced connector status", " - net: Handle napi_schedule() calls from non-interrupt", " - block: fix 'kmem_cache of name 'bio-108' already exists'", " - cifs: Validate content of WSL reparse point buffers", " - cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from", " parse_reparse_point()", " - Input: ads7846 - fix gpiod allocation", " - Input: iqs7222 - preserve system status register", " - Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE", " controllers", " - Input: xpad - add multiple supported devices", " - Input: xpad - add support for ZOTAC Gaming Zone", " - Input: xpad - add support for TECNO Pocket Go", " - Input: xpad - rename QH controller to Legion Go S", " - Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ", " - Input: i8042 - add required quirks for missing old boardnames", " - Input: i8042 - swap old quirk combination with new quirk for several", " devices", " - Input: i8042 - swap old quirk combination with new quirk for more", " devices", " - USB: serial: ftdi_sio: add support for Altera USB Blaster 3", " - USB: serial: option: add Telit Cinterion FE990B compositions", " - USB: serial: option: fix Telit Cinterion FE990A name", " - USB: serial: option: match on interface class for Telit FN990B", " - x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes", " - drm/i915/cdclk: Do cdclk post plane programming later", " - drm/atomic: Filter out redundant DPMS calls", " - drm/dp_mst: Fix locking when skipping CSN before topology probing", " - drm/amd/amdkfd: Evict all queues even HWS remove queue failed", " - drm/amd/display: Disable unneeded hpd interrupts during dm_init", " - drm/amd/display: Restore correct backlight brightness after a GPU reset", " - drm/amd/display: Assign normalized_pix_clk when color depth = 14", " - drm/amd/display: Fix slab-use-after-free on hdcp_work", " - ksmbd: fix use-after-free in ksmbd_free_work_struct", " - ksmbd: prevent connection release during oplock break notification", " - clk: samsung: update PLL locktime for PLL142XX used on FSD platform", " - clk: samsung: gs101: fix synchronous external abort in", " samsung_clk_save()", " - ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model", " - dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature", " - arm64: mm: Populate vmemmap at the page level if not section aligned", " - Fix mmu notifiers for range-based invalidates", " - qlcnic: fix memory leak issues in qlcnic_sriov_common.c", " - smb: client: fix regression with guest option", " - net: phy: nxp-c45-tja11xx: add TJA112X PHY configuration errata", " - net: phy: nxp-c45-tja11xx: add TJA112XB SGMII PCS restart errata", " - ASoC: ops: Consistently treat platform_max as control value", " - rust: error: add missing newline to pr_warn! calls", " - drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()", " - ASoC: cs42l43: Fix maximum ADC Volume", " - rust: init: add missing newline to pr_info! calls", " - ASoC: rt722-sdca: add missing readable registers", " - drm/xe: cancel pending job timer before freeing scheduler", " - drm/xe: Release guc ids before cancelling work", " - ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()", " - scripts: generate_rust_analyzer: add missing macros deps", " - scripts: generate_rust_analyzer: add missing include_dirs", " - scripts: generate_rust_analyzer: add uapi crate", " - cifs: Fix integer overflow while processing acregmax mount option", " - cifs: Fix integer overflow while processing acdirmax mount option", " - cifs: Fix integer overflow while processing actimeo mount option", " - cifs: Fix integer overflow while processing closetimeo mount option", " - x86/vmware: Parse MP tables for SEV-SNP enabled guests under VMware", " hypervisors", " - i2c: ali1535: Fix an error handling path in ali1535_probe()", " - i2c: ali15x3: Fix an error handling path in ali15x3_probe()", " - i2c: sis630: Fix an error handling path in sis630_probe()", " - mm/hugetlb: wait for hugetlb folios to be freed", " - smb3: add support for IAKerb", " - smb: client: Fix match_session bug preventing session reuse", " - Bluetooth: L2CAP: Fix corrupted list in hci_chan_del", " - nvme-fc: rely on state transitions to handle connectivity loss", " - HID: apple: disable Fn key handling on the Omoton KB066", " - Input: xpad - fix two controller table values", " - cifs: Ensure that all non-client-specific reparse points are processed", " by the server", " - wifi: cfg80211: init wiphy_work before allocating rfkill fails", " - ksmbd: fix r_count dec/increment mismatch", " - nvme: unblock ctrl state transition for firmware update", " - Upstream stable to v6.6.83, v6.12.20", "", " * Noble update: upstream stable patchset 2025-07-22 (LP: #2117533)", " - x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()", " - gpio: vf610: use generic device_get_match_data()", " - gpio: vf610: add locking to gpio direction functions", " - cifs: Remove symlink member from cifs_open_info_data union", " - smb311: failure to open files of length 1040 when mounting with SMB3.1.1", " POSIX extensions", " - btrfs: fix data overwriting bug during buffered write when block size <", " page size", " - x86/microcode/AMD: Add some forgotten models to the SHA check", " - rust: workqueue: remove unneeded ``#[allow(clippy::new_ret_no_self)]`", " - rust: init: remove unneeded `#[allow(clippy::disallowed_names)]`", " - rust: introduce `.clippy.toml`", " - rust: replace `clippy::dbg_macro` with `disallowed_macros`", " - rust: provide proper code documentation titles", " - rust: enable Clippy's `check-private-items`", " - Documentation: rust: add coding guidelines on lints", " - Documentation: rust: discuss `#[expect(...)]` in the guidelines", " - rust: error: make conversion functions public", " - rust: error: optimize error type to use nonzero", " - rust: error: check for config `test` in `Error::name`", " - rust: fix size_t in bindgen prototypes of C builtins", " - rust: map `__kernel_size_t` and friends also to usize/isize", " - tracing: tprobe-events: Fix a memory leak when tprobe with $retval", " - LoongArch: Convert unreachable() to BUG()", " - LoongArch: Use polling play_dead() when resuming from hibernation", " - LoongArch: Set max_pfn with the PFN of the last page", " - LoongArch: KVM: Add interrupt checking for AVEC", " - LoongArch: KVM: Reload guest CSR registers after sleep", " - LoongArch: KVM: Fix GPA size issue about VM", " - HID: appleir: Fix potential NULL dereference at raw event handle", " - ksmbd: fix type confusion via race condition when using", " ipc_msg_send_request", " - ksmbd: fix out-of-bounds in parse_sec_desc()", " - ksmbd: fix use-after-free in smb2_lock", " - ksmbd: fix bug on trap in smb2_lock", " - gpio: rcar: Use raw_spinlock to protect register access", " - ALSA: seq: Avoid module auto-load handling at event delivery", " - ALSA: hda: intel: Add Dell ALC3271 to power_save denylist", " - ALSA: hda/realtek: update ALC222 depop optimize", " - btrfs: fix a leaked chunk map issue in read_one_chunk()", " - hwmon: (peci/dimmtemp) Do not provide fake thresholds data", " - drm/amd/display: Fix null check for pipe_ctx->plane_state in", " resource_build_scaling_params", " - drm/imagination: avoid deadlock on fence release", " - drm/imagination: Hold drm_gem_gpuva lock for unmap", " - drm/imagination: only init job done fences once", " - drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M", " - platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e", " - x86/cacheinfo: Validate CPUID leaf 0x2 EDX output", " - x86/cpu: Validate CPUID leaf 0x2 EDX output", " - x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63", " - Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()", " - Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()", " - wifi: cfg80211: regulatory: improve invalid hints checking", " - wifi: nl80211: reject cooked mode if it is set along with other flags", " - rapidio: add check for rio_add_net() in rio_scan_alloc_net()", " - rapidio: fix an API misues when rio_add_net() fails", " - dma: kmsan: export kmsan_handle_dma() for modules", " - s390/traps: Fix test_monitor_call() inline assembly", " - NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback", " - userfaultfd: do not block on locking a large folio with raised refcount", " - block: fix conversion of GPT partition name to 7-bit", " - mm/page_alloc: fix uninitialized variable", " - mm: don't skip arch_sync_kernel_mappings() in error paths", " - wifi: iwlwifi: mvm: don't try to talk to a dead firmware", " - wifi: iwlwifi: limit printed string from FW file", " - HID: google: fix unused variable warning under !CONFIG_ACPI", " - HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()", " - HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()", " - bluetooth: btusb: Initialize .owner field of force_poll_sync_fops", " - nvme-tcp: add basic support for the C2HTermReq PDU", " - nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()", " - net: gso: fix ownership in __udp_gso_segment", " - caif_virtio: fix wrong pointer check in cfv_probe()", " - perf/core: Fix pmus_lock vs. pmus_srcu ordering", " - hwmon: (pmbus) Initialise page count in pmbus_identify()", " - hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table", " - hwmon: (ad7314) Validate leading zero bits and return error", " - tracing: probe-events: Remove unused MAX_ARG_BUF_LEN macro", " - drm/imagination: Fix timestamps in firmware traces", " - ALSA: usx2y: validate nrpacks module parameter on probe", " - llc: do not use skb_get() before dev_queue_xmit()", " - hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe()", " - drm/sched: Fix preprocessor guard", " - be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink", " - net: hns3: make sure ptp clock is unregister and freed if", " hclge_ptp_get_cycle returns an error", " - net: ipa: Fix v4.7 resource group names", " - net: ipa: Fix QSB data for v4.7", " - net: ipa: Enable checksum for IPA_ENDPOINT_AP_MODEM_{RX,TX} for v4.7", " - ppp: Fix KMSAN uninit-value warning with bpf", " - vlan: enforce underlying device type", " - x86/sgx: Fix size overflows in sgx_encl_create()", " - exfat: fix soft lockup in exfat_clear_bitmap", " - exfat: short-circuit zero-byte writes in exfat_file_write_iter", " - net-timestamp: support TCP GSO case for a few missing flags", " - ublk: set_params: properly check if parameters can be applied", " - sched/fair: Fix potential memory corruption in child_cfs_rq_on_list", " - nvme-tcp: fix signedness bug in nvme_tcp_init_connection()", " - net: dsa: mt7530: Fix traffic flooding for MMIO devices", " - mctp i3c: handle NULL header address", " - net: ipv6: fix dst ref loop in ila lwtunnel", " - net: ipv6: fix missing dst ref drop in ila lwtunnel", " - gpio: rcar: Fix missing of_node_put() call", " - usb: renesas_usbhs: Call clk_put()", " - usb: renesas_usbhs: Use devm_usb_get_phy()", " - usb: hub: lack of clearing xHC resources", " - usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card", " Reader", " - usb: typec: ucsi: Fix NULL pointer access", " - usb: renesas_usbhs: Flush the notify_hotplug_work", " - usb: gadget: u_ether: Set is_suspend flag if remote wakeup fails", " - usb: atm: cxacru: fix a flaw in existing endpoint checks", " - usb: dwc3: Set SUSPENDENABLE soon after phy init", " - usb: dwc3: gadget: Prevent irq storm when TH re-executes", " - usb: typec: ucsi: increase timeout for PPM reset operations", " - usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality", " - usb: gadget: Set self-powered based on MaxPower and bmAttributes", " - usb: gadget: Fix setting self-powered state on suspend", " - usb: gadget: Check bmAttributes only if configuration is valid", " - kbuild: userprogs: use correct lld when linking through clang", " - xhci: pci: Fix indentation in the PCI device ID definitions", " - usb: xhci: Enable the TRB overfetch quirk on VIA VL805", " - KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow", " - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value", " - KVM: SVM: Suppress DEBUGCTL.BTF on AMD", " - KVM: x86: Snapshot the host's DEBUGCTL in common x86", " - KVM: SVM: Manually context switch DEBUGCTL if LBR virtualization is", " disabled", " - KVM: x86: Snapshot the host's DEBUGCTL after disabling IRQs", " - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by", " KVM", " - cdx: Fix possible UAF error in driver_override_show()", " - mei: me: add panther lake P DID", " - mei: vsc: Use \"wakeuphostint\" when getting the host wakeup GPIO", " - intel_th: pci: Add Arrow Lake support", " - intel_th: pci: Add Panther Lake-H support", " - intel_th: pci: Add Panther Lake-P/U support", " - slimbus: messaging: Free transaction ID in delayed interrupt scenario", " - bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid", " deadlock", " - eeprom: digsy_mtc: Make GPIO lookup table match the device", " - drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl", " - iio: filter: admv8818: Force initialization of SDO", " - iio: dac: ad3552r: clear reset status flag", " - iio: adc: ad7192: fix channel select", " - iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value", " - kbuild: hdrcheck: fix cross build with clang", " - nvme-tcp: Fix a C2HTermReq error message", " - docs: rust: remove spurious item in `expect` list", " - Upstream stable to v6.6.82, v6.12.19", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878)", " - IB/mlx5: Set and get correct qp_num for a DCT QP", " - RDMA/mana_ib: Allocate PAGE aligned doorbell index", " - scsi: ufs: core: Fix ufshcd_is_ufs_dev_busy() and ufshcd_eh_timed_out()", " - SUNRPC: convert RPC_TASK_* constants to enum", " - SUNRPC: Prevent looping due to rpc_signal_task() races", " - SUNRPC: Handle -ETIMEDOUT return from tlshd", " - RDMA/mlx5: Fix AH static rate parsing", " - scsi: core: Clear driver private data when retrying request", " - RDMA/mlx5: Fix bind QP error cleanup flow", " - sunrpc: suppress warnings for unused procfs functions", " - ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports", " - Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response", " - rxrpc: rxperf: Fix missing decoding of terminal magic cookie", " - afs: Fix the server_list to unuse a displaced server rather than putting", " it", " - net: loopback: Avoid sending IP packets without an Ethernet header", " - net: set the minimum for net_hotdata.netdev_budget_usecs", " - net/ipv4: add tracepoint for icmp_send", " - ipv4: icmp: Pass full DS field to ip_route_input()", " - ipv4: icmp: Unmask upper DSCP bits in icmp_route_lookup()", " - ipvlan: Unmask upper DSCP bits in ipvlan_process_v4_outbound()", " - ipv4: Convert icmp_route_lookup() to dscp_t.", " - ipv4: Convert ip_route_input() to dscp_t.", " - ipvlan: Prepare ipvlan_process_v4_outbound() to future .flowi4_tos", " conversion.", " - net: cadence: macb: Synchronize stats calculations", " - ASoC: es8328: fix route from DAC to output", " - ipvs: Always clear ipvs_property flag in skb_scrub_packet()", " - firmware: cs_dsp: Remove async regmap writes", " - ALSA: hda/realtek: Fix wrong mic setup for ASUS VivoBook 15", " - ice: add E830 HW VF mailbox message limit support", " - tcp: Defer ts_recent changes until req is owned", " - net: Clear old fragment checksum value in napi_reuse_skb", " - net: mvpp2: cls: Fixed Non IP flow, with vlan tag flow defination.", " - net/mlx5: IRQ, Fix null string in debug print", " - net: ipv6: fix dst ref loop on input in seg6 lwt", " - net: ipv6: fix dst ref loop on input in rpl lwt", " - net: ti: icss-iep: Remove spinlock-based synchronization", " - net: ti: icss-iep: Reject perout generation request", " - io_uring/net: save msg_control for compat", " - x86/CPU: Fix warm boot hang regression on AMD SC1100 SoC systems", " - phy: rockchip: naneng-combphy: compatible reset with old DT", " - RISCV: KVM: Introduce mp_state_lock to avoid lock inversion", " - riscv: KVM: Fix hart suspend status check", " - riscv: KVM: Fix SBI IPI error generation", " - riscv: KVM: Fix SBI TIME error generation", " - ALSA: usb-audio: Re-add sample rate quirk for Pioneer DJM-900NXS2", " - ALSA: hda/realtek: Fix microphone regression on ASUS N705UD", " - perf/x86: Fix low freqency setting issue", " - perf/core: Fix low freq setting via IOC_PERIOD", " - drm/amd/display: Disable PSR-SU on eDP panels", " - drm/amd/display: Fix HPD after gpu reset", " - i2c: ls2x: Fix frequency division register access", " - net: enetc: fix the off-by-one issue in enetc_map_tx_buffs()", " - net: enetc: keep track of correct Tx BD count in", " enetc_map_tx_tso_buffs()", " - net: enetc: update UDP checksum when updating originTimestamp field", " - net: enetc: correct the xdp_tx statistics", " - net: enetc: fix the off-by-one issue in enetc_map_tx_tso_buffs()", " - phy: tegra: xusb: reset VBUS & ID OVERRIDE", " - phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in", " refclk", " - mptcp: reset when MPTCP opts are dropped after join", " - vmlinux.lds: Ensure that const vars with relocations are mapped R/O", " - rcuref: Plug slowpath race in rcuref_put()", " - rseq/selftests: Fix riscv rseq_offset_deref_addv inline asm", " - riscv/futex: sign extend compare value in atomic cmpxchg", " - riscv: signal: fix signal frame size", " - rtla/timerlat_hist: Set OSNOISE_WORKLOAD for kernel threads", " - rtla/timerlat_top: Set OSNOISE_WORKLOAD for kernel threads", " - amdgpu/pm/legacy: fix suspend/resume issues", " - gve: set xdp redirect target only when it is available", " - x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID", " - x86/microcode/AMD: Pay attention to the stepping dynamically", " - x86/microcode/AMD: Split load_microcode_amd()", " - x86/microcode/intel: Remove unnecessary cache writeback and invalidation", " - x86/microcode/AMD: Flush patch buffer mapping after application", " - x86/microcode/AMD: Return bool from find_blobs_in_containers()", " - x86/microcode/AMD: Make __verify_patch_size() return bool", " - x86/microcode/AMD: Have __apply_microcode_amd() return bool", " - x86/microcode/AMD: Merge early_apply_microcode() into its single", " callsite", " - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward", " declaration", " - x86/microcode/AMD: Add get_patch_level()", " - x86/microcode/AMD: Load only SHA256-checksummed patches", " - x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive", " - RDMA/mlx5: Fix a race for DMABUF MR which can lead to CQE with error", " - RDMA/hns: Fix mbox timing out by adding retry mechanism", " - RDMA/bnxt_re: Allocate dev_attr information dynamically", " - RDMA/bnxt_re: Fix the statistics for Gen P7 VF", " - landlock: Fix non-TCP sockets restriction", " - RDMA/mlx5: Fix implicit ODP hang on parent deregistration", " - scsi: ufs: core: Set default runtime/system PM levels before", " ufshcd_hba_init()", " - afs: Give an afs_server object a ref on the afs_cell object it points to", " - ASoC: cs35l56: Prevent races when soft-resetting using SPI control", " - thermal: gov_power_allocator: Fix incorrect calculation in", " divvy_up_power()", " - unreachable: Unify", " - objtool: Remove annotate_{,un}reachable()", " - objtool: Fix C jump table annotations for Clang", " - riscv: KVM: Fix hart suspend_type use", " - KVM: arm64: Ensure a VMID is allocated before programming VTTBR_EL2", " - drm/xe/regs: remove a duplicate definition for RING_CTL_SIZE(size)", " - drm/xe/userptr: restore invalidation list on error", " - drm/amdkfd: Preserve cp_hqd_pq_control on update_mqd", " - drm/amd/display: Add option to configure mapping policy for edp0 on dp1", " - drm/amd/display: add a quirk to enable eDP0 on DP1", " - intel_idle: Handle older CPUs, which stop the TSC in deeper C states,", " correctly", " - selftests/landlock: Test that MPTCP actions are not restricted", " - selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP", " - riscv: signal: fix signal_minsigstksz", " - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section()", " signature", " - x86/microcode/AMD: Remove unused save_microcode_in_initrd_amd()", " declarations", " - Upstream stable to v6.6.81, v6.12.18", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21872", " - efi: Don't map the entire mokvar table to determine its size", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21880", " - drm/xe/userptr: fix EFAULT handling", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21890", " - idpf: fix checksums set in idpf_rx_rsc()", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21885", " - RDMA/bnxt_re: Fix the page details for the srq created by kernel", " consumers", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21888", " - RDMA/mlx5: Fix a WARN during dereg_mr for DM type", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21892", " - RDMA/mlx5: Fix the recovery flow of the UMR QP", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21873", " - scsi: ufs: core: bsg: Fix crash when arpmb command fails", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2024-58090", " - sched/core: Prevent rescheduling when interrupts are disabled", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21875", " - mptcp: always handle address removal under msk socket lock", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21877", " - usbnet: gl620a: fix endpoint checking in genelink_bind()", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21878", " - i2c: npcm: disable interrupt enable bit before devm_request_irq", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21889", " - perf/core: Add RCU read lock protection to perf_iterate_ctx()", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21898", " - ftrace: Avoid potential division by zero in function_stat_show()", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21899", " - tracing: Fix bad hist from corrupting named_triggers list", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21881", " - uprobes: Reject the shared zeropage in uprobe_write_opcode()", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21895", " - perf/core: Order the PMU list to fix warning about unordered", " pmu_ctx_list", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21883", " - ice: Fix deinitializing VF in error path", "", " * Noble update: upstream stable patchset 2025-07-14 (LP: #2116878) //", " CVE-2025-21891", " - ipvlan: ensure network headers are in skb linear part", "", " * CVE-2024-57996 // CVE-2025-37752", " - net_sched: sch_sfq: move the limit validation", "", " * CVE-2025-38350", " - net/sched: Always pass notifications when child class becomes empty", "", " * CVE-2025-21887", " - ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up", "" ], "package": "linux", "version": "6.8.0-81.81", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2121671, 1786013, 2111521, 2115393, 2118499, 2117123, 2118965, 2117716, 2115447, 2119458, 2118927, 2117533, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878, 2116878 ], "author": "Mehmet Basaran ", "date": "Fri, 29 Aug 2025 13:39:12 +0300" }, { "cves": [ { "cve": "CVE-2025-21861", "url": "https://ubuntu.com/security/CVE-2025-21861", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, rem ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-78.78 -proposed tracker (LP: #2120405)", "", " * Incorrect backport for CVE-2025-21861 causes kernel hangs", " (LP: #2120330) // CVE-2025-21861", " - mm/migrate_device: don't add folio to be freed to LRU in", " migrate_device_finalize()", "", " * Incorrect backport for CVE-2025-21861 causes kernel hangs (LP: #2120330)", " - SAUCE: Revert \"mm/migrate_device: don't add folio to be freed to LRU in", " migrate_device_finalize()\"", " - mm: migrate_device: use more folio in migrate_device_finalize()", "" ], "package": "linux", "version": "6.8.0-78.78", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2120405, 2120330, 2120330 ], "author": "Stefan Bader ", "date": "Tue, 12 Aug 2025 11:44:16 +0200" }, { "cves": [ { "cve": "CVE-2025-21861", "url": "https://ubuntu.com/security/CVE-2025-21861", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, rem ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21868", "url": "https://ubuntu.com/security/CVE-2025-21868", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: allow small head cache usage with large MAX_SKB_FRAGS values Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30 irq event stamp: 584330 hardirqs last enabled at (584338): [] __up_console_sem+0x77/0xb0 hardirqs last disabled at (584345): [] __up_console_sem+0x5c/0xb0 softirqs last enabled at (583242): [] netlink_insert+0x14d/0x470 softirqs last disabled at (583754): [] netif_napi_add_weight_locked+0x77d/0xba0 on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024) is smaller than GRO_MAX_HEAD. Such built additionally contains the revert of the single page frag cache so that napi_get_frags() ends up using the page frag allocator, triggering the splat. Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb() to select kmalloc() usage for any allocation fitting such cache.", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21869", "url": "https://ubuntu.com/security/CVE-2025-21869", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a (\"powerpc/code-patching: Use temporary mm for Radix MMU\") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 (\"powerpc/code-patching: introduce patch_instructions()\") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21870", "url": "https://ubuntu.com/security/CVE-2025-21870", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alh_data is attached, which could lead to NULL pointer dereference. We could check for this NULL pointer in sof_ipc4_prepare_copier_module() and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai() will miscalculate the ALH device count, causing broken audio. The correct fix is to harden the matching logic by making sure that the 1. widget is a DAI widget - so dai = w->private is valid 2. the dai (and thus the copier) is ALH copier", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21844", "url": "https://ubuntu.com/security/CVE-2025-21844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Add check for next_buffer in receive_encrypted_standard() Add check for the return value of cifs_buf_get() and cifs_small_buf_get() in receive_encrypted_standard() to prevent null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21846", "url": "https://ubuntu.com/security/CVE-2025-21846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current->fs. Reorganize the code so that the the final write happens from the workqueue but with the caller's credentials. This preserves the (strange) permission model and has almost no regression risk. This api should stop to exist though.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21847", "url": "https://ubuntu.com/security/CVE-2025-21847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() The nullity of sps->cstream should be checked similarly as it is done in sof_set_stream_data_offset() function. Assuming that it is not NULL if sps->stream is NULL is incorrect and can lead to NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21848", "url": "https://ubuntu.com/security/CVE-2025-21848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21862", "url": "https://ubuntu.com/security/CVE-2025-21862", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x119/0x179 lib/dump_stack.c:118 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 reset_per_cpu_data+0xe6/0x240 [drop_monitor] net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:651 [inline] __sock_sendmsg+0x157/0x190 net/socket.c:663 ____sys_sendmsg+0x712/0x870 net/socket.c:2378 ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7f3f9815aee9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 If drop_monitor is built as a kernel module, syzkaller may have time to send a netlink NET_DM_CMD_START message during the module loading. This will call the net_dm_monitor_start() function that uses a spinlock that has not yet been initialized. To fix this, let's place resource initialization above the registration of a generic netlink family. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21871", "url": "https://ubuntu.com/security/CVE-2025-21871", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client application which can eventually lead to system hang-up waiting for the closure of the client application. Allow the client process waiting in kernel for supplicant response to be killed rather than indefinitely waiting in an unkillable state. Also, a normal uninterruptible wait should not have resulted in the hung-task watchdog getting triggered, but the endless loop would. This fixes issues observed during system reboot/shutdown when supplicant got hung for some reason or gets crashed/killed which lead to client getting hung in an unkillable state. It in turn lead to system being in hung up state requiring hard power off/on to recover.", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21863", "url": "https://ubuntu.com/security/CVE-2025-21863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2024-58088", "url": "https://ubuntu.com/security/CVE-2024-58088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock when freeing cgroup storage The following commit bc235cdb423a (\"bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]\") first introduced deadlock prevention for fentry/fexit programs attaching on bpf_task_storage helpers. That commit also employed the logic in map free path in its v6 version. Later bpf_cgrp_storage was first introduced in c4bcfb38a95e (\"bpf: Implement cgroup storage available to non-cgroup-attached bpf progs\") which faces the same issue as bpf_task_storage, instead of its busy counter, NULL was passed to bpf_local_storage_map_free() which opened a window to cause deadlock: \t \t\t(acquiring local_storage->lock) \t_raw_spin_lock_irqsave+0x3d/0x50 \tbpf_local_storage_update+0xd1/0x460 \tbpf_cgrp_storage_get+0x109/0x130 \tbpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170 \t? __bpf_prog_enter_recur+0x16/0x80 \tbpf_trampoline_6442485186+0x43/0xa4 \tcgroup_storage_ptr+0x9/0x20 \t\t(holding local_storage->lock) \tbpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160 \tbpf_selem_unlink_storage+0x6f/0x110 \tbpf_local_storage_map_free+0xa2/0x110 \tbpf_map_free_deferred+0x5b/0x90 \tprocess_one_work+0x17c/0x390 \tworker_thread+0x251/0x360 \tkthread+0xd2/0x100 \tret_from_fork+0x34/0x50 \tret_from_fork_asm+0x1a/0x30 \t Progs: - A: SEC(\"fentry/cgroup_storage_ptr\") - cgid (BPF_MAP_TYPE_HASH) \tRecord the id of the cgroup the current task belonging \tto in this hash map, using the address of the cgroup \tas the map key. - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE) \tIf current task is a kworker, lookup the above hash \tmap using function parameter @owner as the key to get \tits corresponding cgroup id which is then used to get \ta trusted pointer to the cgroup through \tbpf_cgroup_from_id(). This trusted pointer can then \tbe passed to bpf_cgrp_storage_get() to finally trigger \tthe deadlock issue. - B: SEC(\"tp_btf/sys_enter\") - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE) \tThe only purpose of this prog is to fill Prog A's \thash map by calling bpf_cgrp_storage_get() for as \tmany userspace tasks as possible. Steps to reproduce: - Run A; - while (true) { Run B; Destroy B; } Fix this issue by passing its busy counter to the free procedure so it can be properly incremented before storage/smap locking.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21853", "url": "https://ubuntu.com/security/CVE-2025-21853", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable permissions. The way we naively do this means we'll hold freeze_mutex for entire duration of all the mm and VMA manipulations, which is completely unnecessary. This can potentially also lead to deadlocks, as reported by syzbot in [0]. So, instead, hold freeze_mutex only during writeability checks, bump (proactively) \"write active\" count for the map, unlock the mutex and proceed with mmap logic. And only if something went wrong during mmap logic, then undo that \"write active\" counter increment. [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21867", "url": "https://ubuntu.com/security/CVE-2025-21867", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for \"if (user_size > size)\" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014", "cve_priority": "medium", "cve_public_date": "2025-03-27 14:15:00 UTC" }, { "cve": "CVE-2025-21864", "url": "https://ubuntu.com/security/CVE-2025-21864", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free. The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point. We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21854", "url": "https://ubuntu.com/security/CVE-2025-21854", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path. Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly: KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127] CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:vsock_read_skb+0x4b/0x90 Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AF_INET and AF_UNIX.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21855", "url": "https://ubuntu.com/security/CVE-2025-21855", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ==================================================================", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21856", "url": "https://ubuntu.com/security/CVE-2025-21856", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must be fixed. The current code directly frees the device after calling device_add() without waiting for other kernel parts to release their references. Thus, a reference could still be held to a struct device, e.g., by sysfs, leading to potential use-after-free issues if a proper release function is not set.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21857", "url": "https://ubuntu.com/security/CVE-2025-21857", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcf_exts_init_ex() which sets exts->actions to NULL and returns 1 to caller fl_change(). fl_change() treats err == 1 as success, calling tcf_exts_validate_ex() which calls tcf_action_init() with exts->actions as argument, where it is dereferenced. Example trace: BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1 RIP: 0010:tcf_action_init+0x1f8/0x2c0 Call Trace: tcf_action_init+0x1f8/0x2c0 tcf_exts_validate_ex+0x175/0x190 fl_change+0x537/0x1120 [cls_flower]", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21858", "url": "https://ubuntu.com/security/CVE-2025-21858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21866", "url": "https://ubuntu.com/security/CVE-2025-21866", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b (\"mm, kasan, kmsan: instrument copy_from/to_kernel_nofault\") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21859", "url": "https://ubuntu.com/security/CVE-2025-21859", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler.", "cve_priority": "medium", "cve_public_date": "2025-03-12 10:15:00 UTC" }, { "cve": "CVE-2025-21746", "url": "https://ubuntu.com/security/CVE-2025-21746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: synaptics - fix crash when enabling pass-through port When enabling a pass-through port an interrupt might come before psmouse driver binds to the pass-through port. However synaptics sub-driver tries to access psmouse instance presumably associated with the pass-through port to figure out if only 1 byte of response or entire protocol packet needs to be forwarded to the pass-through port and may crash if psmouse instance has not been attached to the port yet. Fix the crash by introducing open() and close() methods for the port and check if the port is open before trying to access psmouse instance. Because psmouse calls serio_open() only after attaching psmouse instance to serio port instance this prevents the potential crash.", "cve_priority": "medium", "cve_public_date": "2025-02-27 03:15:00 UTC" }, { "cve": "CVE-2024-57977", "url": "https://ubuntu.com/security/CVE-2024-57977", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: memcg: fix soft lockup in the OOM process A soft lockup issue was found in the product with about 56,000 tasks were in the OOM cgroup, it was traversing them when the soft lockup was triggered. watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066] CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G Hardware name: Huawei Cloud OpenStack Nova, BIOS RIP: 0010:console_unlock+0x343/0x540 RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247 RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040 R10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0 R13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vprintk_emit+0x193/0x280 printk+0x52/0x6e dump_task+0x114/0x130 mem_cgroup_scan_tasks+0x76/0x100 dump_header+0x1fe/0x210 oom_kill_process+0xd1/0x100 out_of_memory+0x125/0x570 mem_cgroup_out_of_memory+0xb5/0xd0 try_charge+0x720/0x770 mem_cgroup_try_charge+0x86/0x180 mem_cgroup_try_charge_delay+0x1c/0x40 do_anonymous_page+0xb5/0x390 handle_mm_fault+0xc4/0x1f0 This is because thousands of processes are in the OOM cgroup, it takes a long time to traverse all of them. As a result, this lead to soft lockup in the OOM process. To fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks' function per 1000 iterations. For global OOM, call 'touch_softlockup_watchdog' per 1000 iterations to avoid this issue.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21712", "url": "https://ubuntu.com/security/CVE-2025-21712", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime After commit ec6bb299c7c3 (\"md/md-bitmap: add 'sync_size' into struct md_bitmap_stats\"), following panic is reported: Oops: general protection fault, probably for non-canonical address RIP: 0010:bitmap_get_stats+0x2b/0xa0 Call Trace: md_seq_show+0x2d2/0x5b0 seq_read_iter+0x2b9/0x470 seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6c/0xf0 do_syscall_64+0x82/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Root cause is that bitmap_get_stats() can be called at anytime if mddev is still there, even if bitmap is destroyed, or not fully initialized. Deferenceing bitmap in this case can crash the kernel. Meanwhile, the above commit start to deferencing bitmap->storage, make the problem easier to trigger. Fix the problem by protecting bitmap_get_stats() with bitmap_info.mutex.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58093", "url": "https://ubuntu.com/security/CVE-2024-58093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix link state exit during switch upstream function removal Before 456d8aa37d0f (\"PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free\"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed. That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after. After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link. That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports. The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order. On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed -- before the parent link is obsolete, but after all subordinate links are gone. [kwilczynski: commit log]", "cve_priority": "low", "cve_public_date": "2025-04-16 15:15:00 UTC" }, { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" }, { "cve": "CVE-2025-37797", "url": "https://ubuntu.com/security/CVE-2025-37797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.", "cve_priority": "medium", "cve_public_date": "2025-05-02 15:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-72.72 -proposed tracker (LP: #2117691)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.07.14)", "", " * NVMe namespace ID mismatch on repeated map/unmap (LP: #2115209)", " - nvme: requeue namespace scan on missed AENs", " - nvme: re-read ANA log page after ns scan completes", " - nvme: fixup scan failure for non-ANA multipath controllers", "", " * integrated I219-LM network adapter appears to be running too fast, causing", " synchronization issues when using the I219-LM PTP feature (LP: #2116072)", " - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13", "", " * intel_rapl: support ARL-H hardware (LP: #2115652)", " - powercap: intel_rapl_msr: Add PL4 support for ArrowLake-H", "", " * Ubuntu 24.04+ arm64: screen resolution fixed to 1024x768 with last kernel", " update (LP: #2115068)", " - [Config] Replace FB_HYPERV with DRM_HYPERV", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212)", " - arm64: mte: Do not allow PROT_MTE on MAP_HUGETLB user mappings", " - xfs: assert a valid limit in xfs_rtfind_forw", " - xfs: validate inumber in xfs_iget", " - xfs: fix a sloppy memory handling bug in xfs_iroot_realloc", " - xfs: fix a typo", " - xfs: skip background cowblock trims on inodes open for write", " - xfs: don't free cowblocks from under dirty pagecache on unshare", " - xfs: merge xfs_attr_leaf_try_add into xfs_attr_leaf_addname", " - xfs: return bool from xfs_attr3_leaf_add", " - xfs: distinguish extra split from real ENOSPC from xfs_attr3_leaf_split", " - xfs: distinguish extra split from real ENOSPC from", " xfs_attr_node_try_addname", " - xfs: fold xfs_bmap_alloc_userdata into xfs_bmapi_allocate", " - xfs: don't ifdef around the exact minlen allocations", " - xfs: call xfs_bmap_exact_minlen_extent_alloc from xfs_bmap_btalloc", " - xfs: support lowmode allocations in xfs_bmap_exact_minlen_extent_alloc", " - xfs: Use try_cmpxchg() in xlog_cil_insert_pcp_aggregate()", " - xfs: Remove empty declartion in header file", " - xfs: pass the exact range to initialize to xfs_initialize_perag", " - xfs: update the file system geometry after recoverying superblock", " buffers", " - xfs: error out when a superblock buffer update reduces the agcount", " - xfs: don't use __GFP_RETRY_MAYFAIL in xfs_initialize_perag", " - xfs: update the pag for the last AG at recovery time", " - xfs: Reduce unnecessary searches when searching for the best extents", " - xfs: streamline xfs_filestream_pick_ag", " - xfs: Check for delayed allocations before setting extsize", " - md/md-bitmap: replace md_bitmap_status() with a new helper", " md_bitmap_get_stats()", " - md/md-cluster: fix spares warnings for __le64", " - md/md-bitmap: add 'sync_size' into struct md_bitmap_stats", " - mm: update mark_victim tracepoints fields", " - cpufreq: dt-platdev: add missing MODULE_DESCRIPTION() macro", " - cpufreq: fix using cpufreq-dt as module", " - Bluetooth: qca: Support downloading board id specific NVM for WCN7850", " - Bluetooth: qca: Update firmware-name to support board specific nvm", " - Bluetooth: qca: Fix poor RF performance for WCN6855", " - Input: serio - define serio_pause_rx guard to pause and resume serio", " ports", " - ASoC: renesas: rz-ssi: Add a check for negative sample_space", " - ASoC: rockchip: i2s-tdm: fix shift config for SND_SOC_DAIFMT_DSP_[AB]", " - powerpc/64s/mm: Move __real_pte stubs into hash-4k.h", " - powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline", " - ALSA: seq: Drop UMP events when no UMP-conversion is set", " - ibmvnic: Return error code on TX scrq flush fail", " - ibmvnic: Introduce send sub-crq direct", " - ibmvnic: Add stat for tx direct vs tx batched", " - vsock/bpf: Warn on socket without transport", " - tcp: adjust rcvq_space after updating scaling ratio", " - geneve: Suppress list corruption splat in geneve_destroy_tunnels().", " - flow_dissector: Fix handling of mixed port and port-range keys", " - flow_dissector: Fix port range key handling in BPF conversion", " - net: Add non-RCU dev_getbyhwaddr() helper", " - arp: switch to dev_getbyhwaddr() in arp_req_set_public()", " - net: axienet: Set mac_managed_pm", " - bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic", " - strparser: Add read_sock callback", " - bpf: Fix wrong copied_seq calculation", " - bpf: Disable non stream socket for strparser", " - power: supply: da9150-fg: fix potential overflow", " - nouveau/svm: fix missing folio unlock + put after", " make_device_exclusive_range()", " - drm/msm: Avoid rounding up to one jiffy", " - nvme/ioctl: add missing space in err message", " - bpf: skip non exist keys in generic_map_lookup_batch", " - drm/nouveau/pmu: Fix gp10b firmware guard", " - drm/msm/dpu: Disable dither in phys encoder cleanup", " - drm/i915: Make sure all planes in use by the joiner have their crtc", " included", " - drm/i915/dp: Fix error handling during 128b/132b link training", " - soc: loongson: loongson2_guts: Add check for devm_kstrdup()", " - lib/iov_iter: fix import_iovec_ubuf iovec management", " - ASoC: fsl_micfil: Enable default case in micfil_set_quality()", " - ALSA: hda: Add error check for snd_ctl_rename_id() in", " snd_hda_create_dig_out_ctls()", " - ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED", " - ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close", " - acct: block access to kernel internal filesystems", " - mm,madvise,hugetlb: check for 0-length range after end address", " adjustment", " - mtd: rawnand: cadence: fix error code in cadence_nand_init()", " - mtd: rawnand: cadence: use dma_map_resource for sdma address", " - mtd: rawnand: cadence: fix incorrect device in dma_unmap_single", " - EDAC/qcom: Correct interrupt enable register configuration", " - ftrace: Correct preemption accounting for function tracing.", " - ftrace: Do not add duplicate entries in subops manager ops", " - arm64: dts: rockchip: change eth phy mode to rgmii-id for orangepi r1", " plus lts", " - x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit", " - KVM: x86: Get vcpu->arch.apic_base directly and drop kvm_get_apic_base()", " - KVM: x86: Inline kvm_get_apic_mode() in lapic.h", " - KVM: Introduce vcpu->wants_to_run", " - KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID", " - drm/amd/display: Refactoring if and endif statements to enable DC_LOGGER", " - arm64: dts: mt8183: add dpi node to mt8183", " - arm64: dts: mt8183: Add port node to dpi node", " - arm64: dts: mediatek: mt8183-kukui: Disable DPI display interface", " - arm64: dts: mediatek: mt8183: Disable DPI display output by default", " - arm64: dts: mediatek: mt8183-pumpkin: add HDMI support", " - arm64: dts: mediatek: mt8183: Disable DSI display output by default", " - accel/ivpu: Limit FW version string length", " - accel/ivpu: Add coredump support", " - accel/ivpu: Add FW state dump on TDR", " - accel/ivpu: Fix error handling in recovery/reset", " - ASoC: SOF: topology: dynamically allocate and store DAI widget->private", " - ASoC: SOF: topology: Parse DAI type token for dspless mode", " - ASoC: imx-audmix: remove cpu_mclk which is from cpu dai device", " - vsock/virtio: fix variables initialization during resuming", " - drm/msm/dpu: skip watchdog timer programming through TOP on >= SM8450", " - drm/msm/dpu: Don't leak bits_per_component into random DSC_ENC fields", " - drm/msm/dsi/phy: Protect PHY_CMN_CLK_CFG0 updated from driver side", " - drm/msm/dsi/phy: Protect PHY_CMN_CLK_CFG1 against clock driver", " - drm/msm/dsi/phy: Do not overwite PHY_CMN_CLK_CFG1 when choosing bitclk", " source", " - nvme: tcp: Fix compilation warning with W=1", " - nvme-tcp: fix connect failure on receiving partial ICResp PDU", " - drm: panel: jd9365da-h3: fix reset signal polarity", " - io_uring/rw: forbid multishot async reads", " - arm64: dts: rockchip: Fix broken tsadc pinctrl names for rk3588", " - arm64: dts: rockchip: Move uart5 pin configuration to px30 ringneck SoM", " - arm64: dts: rockchip: Disable DMA for uart5 on px30-ringneck", " - s390/boot: Fix ESSA detection", " - xfs: fix online repair probing when CONFIG_XFS_ONLINE_REPAIR=n", " - smb: client: fix chmod(2) regression with ATTR_READONLY", " - tracing: Fix using ret variable in tracing_set_tracer()", " - selftests/mm: build with -O2", " - Upstream stable to v6.6.80, v6.12.17", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21861", " - mm/migrate_device: don't add folio to be freed to LRU in", " migrate_device_finalize()", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21868", " - net: allow small head cache usage with large MAX_SKB_FRAGS values", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21869", " - powerpc/code-patching: Disable KASAN report during patching via", " temporary mm", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21870", " - ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21844", " - smb: client: Add check for next_buffer in receive_encrypted_standard()", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21846", " - acct: perform last write from workqueue", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21847", " - ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21848", " - nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21862", " - drop_monitor: fix incorrect initialization order", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21871", " - tee: optee: Fix supplicant wait loop", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21863", " - io_uring: prevent opcode speculation", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2024-58088", " - bpf: Fix deadlock when freeing cgroup storage", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21853", " - bpf: avoid holding freeze_mutex during mmap operation", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21867", " - bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21864", " - tcp: drop secpath at the same time as we currently drop dst", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21854", " - sockmap, vsock: For connectible sockets allow only connected", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21855", " - ibmvnic: Don't reference skb after sending to VIOS", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21856", " - s390/ism: add release function for struct device", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21857", " - net/sched: cls_api: fix error handling causing NULL dereference", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21858", " - geneve: Fix use-after-free in geneve_find_dev().", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21866", " - powerpc/code-patching: Fix KASAN hit by not flagging text patching area", " as VM_ALLOC", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21859", " - USB: gadget: f_midi: f_midi_complete to call queue_work", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21746", " - Input: synaptics - fix crash when enabling pass-through port", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2024-57977", " - memcg: fix soft lockup in the OOM process", "", " * Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //", " CVE-2025-21712", " - md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime", "", " * CVE-2024-58093", " - PCI/ASPM: Fix link state exit during switch upstream function removal", "", " * [SRU]Request E825-C driver into latest LTS of Ubuntu OS 24.04", " (LP: #2114785)", " - ice: add support for 3k signing DDP sections for E825C", " - ice: Add helper function ice_is_generic_mac", " - ice: introduce new E825C devices family", "", " * [UBUNTU 22.04] kernel: Fix z17 elf platform recognition (LP: #2114450)", " - s390: Add z17 elf platform", "", " * [UBUNTU 24.04] Kernel: Add CPUMF extended counter set for z17", " (LP: #2114258)", " - s390/cpumf: Update CPU Measurement facility extended counter set support", "", " * Noble update: upstream stable patchset 2025-06-29 (LP: #2115616)", " - nfsd: clear acl_access/acl_default after releasing them", " - NFSD: fix hang in nfsd4_shutdown_callback", " - pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware", " - HID: multitouch: Add NULL check in mt_input_configured", " - HID: hid-thrustmaster: fix stack-out-of-bounds read in", " usb_check_int_endpoints()", " - spi: sn-f-ospi: Fix division by zero", " - ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt", " - ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()", " - vrf: use RCU protection in l3mdev_l3_out()", " - vxlan: check vxlan_vnigroup_init() return value", " - LoongArch: Fix idle VS timer enqueue", " - LoongArch: csum: Fix OoB access in IP checksum code for negative lengths", " - team: better TEAM_OPTION_TYPE_STRING validation", " - arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array", " - cgroup: Remove steal time from usage_usec", " - drm/i915/selftests: avoid using uninitialized context", " - gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0", " - gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ", " - gpio: bcm-kona: Add missing newline to dev_err format string", " - drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode()", " - xen/swiotlb: relax alignment requirements", " - x86/xen: allow larger contiguous memory regions in PV guests", " - block: cleanup and fix batch completion adding conditions", " - gpiolib: Fix crash on error in gpiochip_get_ngpios()", " - tools: fix annoying \"mkdir -p ...\" logs when building tools in parallel", " - RDMA/efa: Reset device on probe failure", " - fbdev: omap: use threaded IRQ for LCD DMA", " - soc/tegra: fuse: Update Tegra234 nvmem keepout list", " - media: cxd2841er: fix 64-bit division on gcc-9", " - media: i2c: ds90ub913: Add error handling to ub913_hw_init()", " - media: i2c: ds90ub953: Add error handling for i2c reads/writes", " - media: uvcvideo: Implement dual stream quirk to fix loss of usb packets", " - media: uvcvideo: Add new quirk definition for the Sonix Technology Co.", " 292a camera", " - media: uvcvideo: Add Kurokesu C1 PRO camera", " - media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread", " - PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P", " - PCI: switchtec: Add Microchip PCI100X device IDs", " - scsi: ufs: bsg: Set bsg_queue to NULL after removal", " - rtla/timerlat_hist: Abort event processing on second signal", " - rtla/timerlat_top: Abort event processing on second signal", " - vfio/pci: Enable iowrite64 and ioread64 for vfio pci", " - NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()", " - Grab mm lock before grabbing pt lock", " - selftests: gpio: gpio-sim: Fix missing chip disablements", " - ACPI: x86: Add skip i2c clients quirk for Vexia EDU ATLA 10 tablet 5V", " - x86/mm/tlb: Only trim the mm_cpumask once a second", " - orangefs: fix a oob in orangefs_debug_write", " - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V", " - batman-adv: fix panic during interface removal", " - batman-adv: Ignore neighbor throughput metrics in error case", " - batman-adv: Drop unmanaged ELP metric worker", " - drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()", " - KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-", " kernel", " - KVM: nSVM: Enter guest mode before initializing nested NPT MMU", " - perf/x86/intel: Ensure LBRs are disabled when a CPU is starting", " - usb: gadget: f_midi: Fixing wMaxPacketSize exceeded issue during MIDI", " bind retries", " - usb: dwc3: Fix timeout issue during controller enter/exit from halt", " state", " - usb: roles: set switch registered flag early on", " - usb: gadget: udc: renesas_usb3: Fix compiler warning", " - usb: dwc2: gadget: remove of_node reference upon udc_stop", " - USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI", " - usb: core: fix pipe creation for get_bMaxPacketSize0", " - USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist", " - USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone", " - usb: gadget: f_midi: fix MIDI Streaming descriptor lengths", " - USB: hub: Ignore non-compliant devices with too many configs or", " interfaces", " - USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk", " - usb: cdc-acm: Check control transfer buffer size before access", " - usb: cdc-acm: Fix handling of oversized fragments", " - USB: serial: option: add MeiG Smart SLM828", " - USB: serial: option: add Telit Cinterion FN990B compositions", " - USB: serial: option: fix Telit Cinterion FN990A name", " - USB: serial: option: drop MeiG Smart defines", " - can: ctucanfd: handle skb allocation failure", " - can: c_can: fix unbalanced runtime PM disable in error path", " - can: j1939: j1939_sk_send_loop(): fix unable to send messages with data", " length zero", " - can: etas_es58x: fix potential NULL pointer dereference on udev->serial", " - alpha: make stack 16-byte aligned (most cases)", " - wifi: ath12k: fix handling of 6 GHz rules", " - kbuild: userprogs: fix bitsize and target detection on clang", " - efi: Avoid cold plugged memory for placing the kernel", " - cgroup: fix race between fork and cgroup.kill", " - serial: port: Assign ->iotype correctly when ->iobase is set", " - serial: port: Always update ->iotype in __uart_read_properties()", " - serial: 8250: Fix fifo underflow on flush", " - alpha: align stack for page fault and user unaligned trap handlers", " - gpiolib: acpi: Add a quirk for Acer Nitro ANV14", " - gpio: stmpe: Check return value of stmpe_reg_read in", " stmpe_gpio_irq_sync_unlock", " - partitions: mac: fix handling of bogus partition table", " - regulator: qcom_smd: Add l2, l5 sub-node to mp5496 regulator", " - regmap-irq: Add missing kfree()", " - arm64: Handle .ARM.attributes section in linker scripts", " - mmc: mtk-sd: Fix register settings for hs400(es) mode", " - igc: Set buffer type for empty frames in igc_init_empty_frame", " - mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw()", " - btrfs: fix hole expansion when writing at an offset beyond EOF", " - clocksource: Use pr_info() for \"Checking clocksource synchronization\"", " message", " - clocksource: Use migrate_disable() to avoid calling get_random_u32() in", " atomic context", " - ipv4: add RCU protection to ip4_dst_hoplimit()", " - net: add dev_net_rcu() helper", " - ipv4: use RCU protection in ipv4_default_advmss()", " - ipv4: use RCU protection in rt_is_expired()", " - ipv4: use RCU protection in inet_select_addr()", " - net: ipv4: Cache pmtu for all packet paths if multipath enabled", " - ipv4: use RCU protection in __ip_rt_update_pmtu()", " - ipv4: icmp: convert to dev_net_rcu()", " - flow_dissector: use RCU protection to fetch dev_net()", " - ipv6: use RCU protection in ip6_default_advmss()", " - ipv6: icmp: convert to dev_net_rcu()", " - HID: hid-steam: Add Deck IMU support", " - HID: hid-steam: Make sure rumble work is canceled on removal", " - HID: hid-steam: Move hidraw input (un)registering to work", " - ndisc: use RCU protection in ndisc_alloc_skb()", " - neighbour: delete redundant judgment statements", " - neighbour: use RCU protection in __neigh_notify()", " - arp: use RCU protection in arp_xmit()", " - openvswitch: use RCU protection in ovs_vport_cmd_fill_info()", " - ndisc: extend RCU protection in ndisc_send_skb()", " - ipv6: mcast: extend RCU protection in igmp6_send()", " - ipv6: mcast: add RCU protection to mld_newpack()", " - drm/tidss: Fix issue in irq handling causing irq-flood issue", " - drm/tidss: Clear the interrupt status for interrupts being disabled", " - drm/rcar-du: dsi: Fix PHY lock bit check", " - drm/v3d: Stop active perfmon if it is being destroyed", " - netdevsim: print human readable IP address", " - selftests: rtnetlink: update netdevsim ipsec output format", " - md/md-bitmap: factor behind write counters out from", " bitmap_{start/end}write()", " - md/md-bitmap: remove the last parameter for bimtap_ops->endwrite()", " - md/md-bitmap: move bitmap_{start, end}write to md upper layer", " - mm: gup: fix infinite loop within __get_longterm_locked", " - alpha: replace hardcoded stack offsets with autogenerated ones", " - HID: hid-steam: Don't use cancel_delayed_work_sync in IRQ context", " - io_uring/kbuf: reallocate buf lists on upgrade", " - x86/i8253: Disable PIT timer 0 when not in use", " - pinctrl: cy8c95x0: Rename PWMSEL to SELPWM", " - pinctrl: pinconf-generic: print hex value", " - pinctrl: pinconf-generic: Print unsigned value if a format is registered", " - idpf: fix handling rsc packet with a single segment", " - idpf: call set_real_num_queues in idpf_open", " - igc: Fix HW RX timestamp when passed by ZC XDP", " - LoongArch: KVM: Fix typo issue about GCFG feature detection", " - workqueue: Put the pwq after detaching the rescuer from the pool", " - perf/x86/intel: Clean up PEBS-via-PT on hybrid", " - drm/xe/client: bo->client does not need bos_lock", " - io_uring/waitid: don't abuse io_tw_state", " - drm: Fix DSC BPP increment decoding", " - i3c: mipi-i3c-hci: Add Intel specific quirk to ring resuming", " - i3c: mipi-i3c-hci: Add support for MIPI I3C HCI on PCI bus", " - [Config] updateconfigs for MIPI_I3C_HCI_PCI", " - serial: 8250_pci: Resolve WCH vendor ID ambiguity", " - serial: 8250_pci: Share WCH IDs with parport_serial driver", " - fs/ntfs3: Unify inode corruption marking with _ntfs_bad_inode()", " - kbuild: suppress stdout from merge_config for silent builds", " - KVM: x86: Load DR6 with guest value only before entering .vcpu_run()", " loop", " - perf/x86/intel: Fix ARCH_PERFMON_NUM_COUNTER_LEAF", " - USB: gadget: core: create sysfs link between udc and gadget", " - usb: gadget: core: flush gadget workqueue after device removal", " - include: net: add static inline dst_dev_overhead() to dst.h", " - net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue", " - net: ipv6: seg6_iptunnel: mitigate 2-realloc issue", " - net: ipv6: rpl_iptunnel: mitigate 2-realloc issue", " - net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels", " - scsi: ufs: core: Introduce ufshcd_has_pending_tasks()", " - scsi: ufs: core: Prepare to introduce a new clock_gating lock", " - scsi: ufs: core: Introduce a new clock_gating lock", " - scsi: ufs: Fix toggling of clk_gating.state when clock gating is not", " allowed", " - ipv4: use RCU protection in ip_dst_mtu_maybe_forward()", " - drm/tidss: Fix race condition while handling interrupt registers", " - drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()", " - wifi: rtw89: pci: disable PCIE wake bit when PCIE deinit", " - net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels", " - scsi: ufs: core: Ensure clk_gating.lock is used only after", " initialization", " - serial: 8250_dma: terminate correct DMA in tx_dma_flush()", " - x86/mm: Eliminate window where TLB flushes may be inadvertently skipped", " - HID: hid-steam: Fix use-after-free when detaching device", " - block: change blk_mq_add_to_batch() third argument type to bool", " - nvme: move error logging from nvme_end_req() to __nvme_end_req()", " - Upstream stable to v6.6.79, v6.12.16", "", " * Noble update: upstream stable patchset 2025-06-17 (LP: #2114849)", " - ice: Add check for devm_kzalloc()", " - io_uring/rw: commit provided buffer state on async", " - mptcp: pm: only set fullmesh for subflow endp", " - selftests: mptcp: join: fix AF_INET6 variable", " - xfs: don't lose solo dquot update transactions", " - Upstream stable to v6.6.78, v6.12.15", "", " * [Regression Updates] \"PCI: Explicitly put devices into D0 when", " initializing\" breaks pci-pass-through in QEMU/KVM (LP: #2117494)", " - PCI/PM: Set up runtime PM even for devices without PCI PM", "", " * CVE-2025-38083", " - net_sched: prio: fix a race in prio_tune()", "", " * CVE-2025-37797", " - net_sched: hfsc: Fix a UAF vulnerability in class handling", "" ], "package": "linux", "version": "6.8.0-72.72", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2117691, 1786013, 2115209, 2116072, 2115652, 2115068, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2116212, 2114785, 2114450, 2114258, 2115616, 2114849, 2117494 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:34:12 +0200" } ], "notes": "linux-modules-6.8.0-84-generic version '6.8.0-84.84' (source package linux version '6.8.0-84.84') was added. linux-modules-6.8.0-84-generic version '6.8.0-84.84' has the same source package name, linux, as removed package linux-modules-6.8.0-71-generic. As such we can use the source package version of the removed package, '6.8.0-71.71', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "libtirpc-common", "from_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.4+ds-1.1build1", "version": "1.3.4+ds-1.1build1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "libtirpc3t64", "from_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.4+ds-1.1build1", "version": "1.3.4+ds-1.1build1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-6.8.0-71-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-71.71", "version": "6.8.0-71.71" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-71-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-71.71", "version": "6.8.0-71.71" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from daily image serial 20250729 to 20250923.1", "from_series": "noble", "to_series": "noble", "from_serial": "20250729", "to_serial": "20250923.1", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }