{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.14.0-32-generic", "linux-modules-6.14.0-32-generic" ], "removed": [ "linux-image-6.14.0-24-generic", "linux-modules-6.14.0-24-generic" ], "diff": [ "apparmor", "cloud-init", "cloud-init-base", "coreutils", "libapparmor1", "libc-bin", "libc6", "libpam-modules", "libpam-modules-bin", "libpam-runtime", "libpam-systemd", "libpam0g", "libpython3.13-minimal", "libpython3.13-stdlib", "libsqlite3-0", "libsystemd-shared", "libsystemd0", "libudev1", "linux-image-virtual", "openssh-client", "openssh-server", "openssh-sftp-server", "perl-base", "python3-distupgrade", "python3.13", "python3.13-minimal", "snapd", "systemd", "systemd-resolved", "systemd-sysv", "systemd-timesyncd", "ubuntu-drivers-common", "ubuntu-release-upgrader-core", "udev", "xxd" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "4.1.0~beta5-0ubuntu14", "version": "4.1.0~beta5-0ubuntu14" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "4.1.0~beta5-0ubuntu14.1", "version": "4.1.0~beta5-0ubuntu14.1" }, "cves": [], "launchpad_bugs_fixed": [ 2110236, 2110616, 2107402, 2107455, 2110628, 2107723, 2110624, 2107596, 2109029, 2110626, 2111807, 2107727, 2110688, 2110630, 2102033 ], "changes": [ { "cves": [], "log": [ "", " * This is an SRU from Questing to Plucky, tracked in LP: #2110236", " * Add patch to allow unprivileged_userns access to root dir", " (LP: #2110616):", " - d/p/u/unprivileged_userns_rootdir.patch", " * Add patch to fix lsblk accesses on IBM System Z systems (LP: #2107402)", " and execution from a confined context (LP: #2107455):", " - d/p/u/lsblk-s390-fixes.patch", " * Add patch to fix execution of various commands from confined contexts", " (LP: #2110628):", " - d/p/u/profiles_ensure_access_to_attach_path.patch", " * Add patch to include new QtWebEngineProcess execution path in", " plasmashell profile (LP: #2107723):", " - d/p/u/plasmashell-QtWebEngineProcess-new-path.patch", " * Add patch to allow /cvmfs fusermounts (LP: #2110624):", " - d/p/u/fusermount3_cvmfs.patch", " * Add patch to grant OpenVPN DNS accesses (LP: #2107596, LP: #2109029):", " - d/p/u/openvpn_dnsfix.patch", " * Add patch to expand allowed fusermount3 flags for fuse_overlayfs and", " sshfs via fstab (LP: #2110626, LP: #2111807):", " - d/p/u/fusermount3_allow_more_flags.patch", " * Add patch to fix permission denials for iotop-c (LP: #2107727):", " - d/p/u/profiles-give-iotop-c-additional-accesses.patch", " * Add patch to fix parser handling of norelatime mount flag", " (LP: #2110688):", " - d/p/u/parser-fix-handling-of-norelatime-mount-rule-flag.patch", " * Add patch to fix incorrect mount rule documentation in the apparmor.d", " man page (LP: #2110630):", " - d/p/u/fix-incorrect-mount-flag-apparmor.d-docs.patch", " * Add patch to add regression tests for the above two patches:", " - d/p/u/regression-verify-documented-mount-flag-behavior.patch", " * d/p/u/remmina_mr_1348.patch, d/p/u/remmina-dbus-describeall.patch:", " move the remmina profile to profiles/apparmor/profiles/extras to", " disable it by default (LP: #2102033)", " * debian/apparmor.install: remove the remmina profile entry", " * debian/apparmor-profiles.install: add an entry for the remmina profile", " * debian/apparmor.maintscript: remove the remmina profile upon upgrade", "" ], "package": "apparmor", "version": "4.1.0~beta5-0ubuntu14.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2110236, 2110616, 2107402, 2107455, 2110628, 2107723, 2110624, 2107596, 2109029, 2110626, 2111807, 2107727, 2110688, 2110630, 2102033 ], "author": "Ryan Lee ", "date": "Wed, 27 May 2025 11:29:02 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.2-0ubuntu0~25.04.1", "version": "25.1.2-0ubuntu0~25.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.4-0ubuntu0~25.04.1", "version": "25.1.4-0ubuntu0~25.04.1" }, "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2069607, 2114229, 2069607 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * Upstream security bugfix release based on 25.1.4.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog", " - Bugs fixed in this snapshot:", " + fix: disable cloud-init when non-x86 environments have no DMI-data", " and no strict datasources detected (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.4-0ubuntu0~25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2069607 ], "author": "Chad Smith ", "date": "Tue, 24 Jun 2025 15:08:29 -0600" }, { "cves": [ { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only", " share dir (CVE-2024-11584)", " * Upstream security bugfix release based on 25.1.3.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog", " - Bugs fixed in this snapshot:", " - security: make hotplug socket only writable by root (LP: #2114229)", " (CVE-2024-11584)", " - security: make ds-identify behavior strict datasource discovery on", " non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.3-0ubuntu0~25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2114229, 2069607 ], "author": "Chad Smith ", "date": "Thu, 12 Jun 2025 15:05:34 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init-base", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.2-0ubuntu0~25.04.1", "version": "25.1.2-0ubuntu0~25.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.4-0ubuntu0~25.04.1", "version": "25.1.4-0ubuntu0~25.04.1" }, "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2069607, 2114229, 2069607 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * Upstream security bugfix release based on 25.1.4.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog", " - Bugs fixed in this snapshot:", " + fix: disable cloud-init when non-x86 environments have no DMI-data", " and no strict datasources detected (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.4-0ubuntu0~25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2069607 ], "author": "Chad Smith ", "date": "Tue, 24 Jun 2025 15:08:29 -0600" }, { "cves": [ { "cve": "CVE-2024-11584", "url": "https://ubuntu.com/security/CVE-2024-11584", "cve_description": "cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the \"/run/cloud-init/hook-hotplug-cmd\" FIFO. An unprivileged user could trigger hotplug-hook commands.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" }, { "cve": "CVE-2024-6174", "url": "https://ubuntu.com/security/CVE-2024-6174", "cve_description": "When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.", "cve_priority": "medium", "cve_public_date": "2025-06-26 10:15:00 UTC" } ], "log": [ "", " * d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only", " share dir (CVE-2024-11584)", " * Upstream security bugfix release based on 25.1.3.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog", " - Bugs fixed in this snapshot:", " - security: make hotplug socket only writable by root (LP: #2114229)", " (CVE-2024-11584)", " - security: make ds-identify behavior strict datasource discovery on", " non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174)", "" ], "package": "cloud-init", "version": "25.1.3-0ubuntu0~25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2114229, 2069607 ], "author": "Chad Smith ", "date": "Thu, 12 Jun 2025 15:05:34 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "coreutils", "from_version": { "source_package_name": "coreutils", "source_package_version": "9.5-1ubuntu1.25.04.1", "version": "9.5-1ubuntu1.25.04.1" }, "to_version": { "source_package_name": "coreutils", "source_package_version": "9.5-1ubuntu1.25.04.2", "version": "9.5-1ubuntu1.25.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2115274 ], "changes": [ { "cves": [], "log": [ "", " * d/p/suppress-permission-denied-errors-on-nfs.patch:", " - Avoid returning permission denied errors when running ls -l when reading", " file attributes. (LP: #2115274)", "" ], "package": "coreutils", "version": "9.5-1ubuntu1.25.04.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2115274 ], "author": "Ghadi Elie Rahme ", "date": "Tue, 24 Jun 2025 17:18:28 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapparmor1", "from_version": { "source_package_name": "apparmor", "source_package_version": "4.1.0~beta5-0ubuntu14", "version": "4.1.0~beta5-0ubuntu14" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "4.1.0~beta5-0ubuntu14.1", "version": "4.1.0~beta5-0ubuntu14.1" }, "cves": [], "launchpad_bugs_fixed": [ 2110236, 2110616, 2107402, 2107455, 2110628, 2107723, 2110624, 2107596, 2109029, 2110626, 2111807, 2107727, 2110688, 2110630, 2102033 ], "changes": [ { "cves": [], "log": [ "", " * This is an SRU from Questing to Plucky, tracked in LP: #2110236", " * Add patch to allow unprivileged_userns access to root dir", " (LP: #2110616):", " - d/p/u/unprivileged_userns_rootdir.patch", " * Add patch to fix lsblk accesses on IBM System Z systems (LP: #2107402)", " and execution from a confined context (LP: #2107455):", " - d/p/u/lsblk-s390-fixes.patch", " * Add patch to fix execution of various commands from confined contexts", " (LP: #2110628):", " - d/p/u/profiles_ensure_access_to_attach_path.patch", " * Add patch to include new QtWebEngineProcess execution path in", " plasmashell profile (LP: #2107723):", " - d/p/u/plasmashell-QtWebEngineProcess-new-path.patch", " * Add patch to allow /cvmfs fusermounts (LP: #2110624):", " - d/p/u/fusermount3_cvmfs.patch", " * Add patch to grant OpenVPN DNS accesses (LP: #2107596, LP: #2109029):", " - d/p/u/openvpn_dnsfix.patch", " * Add patch to expand allowed fusermount3 flags for fuse_overlayfs and", " sshfs via fstab (LP: #2110626, LP: #2111807):", " - d/p/u/fusermount3_allow_more_flags.patch", " * Add patch to fix permission denials for iotop-c (LP: #2107727):", " - d/p/u/profiles-give-iotop-c-additional-accesses.patch", " * Add patch to fix parser handling of norelatime mount flag", " (LP: #2110688):", " - d/p/u/parser-fix-handling-of-norelatime-mount-rule-flag.patch", " * Add patch to fix incorrect mount rule documentation in the apparmor.d", " man page (LP: #2110630):", " - d/p/u/fix-incorrect-mount-flag-apparmor.d-docs.patch", " * Add patch to add regression tests for the above two patches:", " - d/p/u/regression-verify-documented-mount-flag-behavior.patch", " * d/p/u/remmina_mr_1348.patch, d/p/u/remmina-dbus-describeall.patch:", " move the remmina profile to profiles/apparmor/profiles/extras to", " disable it by default (LP: #2102033)", " * debian/apparmor.install: remove the remmina profile entry", " * debian/apparmor-profiles.install: add an entry for the remmina profile", " * debian/apparmor.maintscript: remove the remmina profile upon upgrade", "" ], "package": "apparmor", "version": "4.1.0~beta5-0ubuntu14.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2110236, 2110616, 2107402, 2107455, 2110628, 2107723, 2110624, 2107596, 2109029, 2110626, 2111807, 2107727, 2110688, 2110630, 2102033 ], "author": "Ryan Lee ", "date": "Wed, 27 May 2025 11:29:02 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.41-6ubuntu1.1", "version": "2.41-6ubuntu1.1" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.41-6ubuntu1.2", "version": "2.41-6ubuntu1.2" }, "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: double-free in regcomp function", " - debian/patches/any/CVE-2025-8058.patch: fix double-free after", " allocation failure in regcomp in posix/Makefile, posix/regcomp.c,", " posix/tst-regcomp-bracket-free.c.", " - CVE-2025-8058", "" ], "package": "glibc", "version": "2.41-6ubuntu1.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 17 Sep 2025 08:17:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6", "from_version": { "source_package_name": "glibc", "source_package_version": "2.41-6ubuntu1.1", "version": "2.41-6ubuntu1.1" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.41-6ubuntu1.2", "version": "2.41-6ubuntu1.2" }, "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8058", "url": "https://ubuntu.com/security/CVE-2025-8058", "cve_description": "The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.", "cve_priority": "medium", "cve_public_date": "2025-07-23 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: double-free in regcomp function", " - debian/patches/any/CVE-2025-8058.patch: fix double-free after", " allocation failure in regcomp in posix/Makefile, posix/regcomp.c,", " posix/tst-regcomp-bracket-free.c.", " - CVE-2025-8058", "" ], "package": "glibc", "version": "2.41-6ubuntu1.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 17 Sep 2025 08:17:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-modules", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.3", "version": "1.5.3-7ubuntu4.3" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.4", "version": "1.5.3-7ubuntu4.4" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:28:47 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-modules-bin", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.3", "version": "1.5.3-7ubuntu4.3" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.4", "version": "1.5.3-7ubuntu4.4" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:28:47 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-runtime", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.3", "version": "1.5.3-7ubuntu4.3" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.4", "version": "1.5.3-7ubuntu4.4" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:28:47 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam0g", "from_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.3", "version": "1.5.3-7ubuntu4.3" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.5.3-7ubuntu4.4", "version": "1.5.3-7ubuntu4.4" }, "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10963", "url": "https://ubuntu.com/security/CVE-2024-10963", "cve_description": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.", "cve_priority": "medium", "cve_public_date": "2024-11-07 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: pam_access hostname confusion", " - debian/patches/CVE-2024-10963.patch: add \"nodns\" option to disallow", " resolving of tokens as hostname in", " modules/pam_access/access.conf.5.xml,", " modules/pam_access/pam_access.8.xml,", " modules/pam_access/pam_access.c.", " - CVE-2024-10963", "" ], "package": "pam", "version": "1.5.3-7ubuntu4.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 15 Sep 2025 08:28:47 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.2", "version": "3.13.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 09:23:40 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-stdlib", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.2", "version": "3.13.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 09:23:40 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsqlite3-0", "from_version": { "source_package_name": "sqlite3", "source_package_version": "3.46.1-3ubuntu0.1", "version": "3.46.1-3ubuntu0.1" }, "to_version": { "source_package_name": "sqlite3", "source_package_version": "3.46.1-3ubuntu0.3", "version": "3.46.1-3ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-7709", "url": "https://ubuntu.com/security/CVE-2025-7709", "cve_description": "An integer overflow exists in the FTS5 https://sqlite.org/fts5.html  extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-09-08 15:15:00 UTC" }, { "cve": "CVE-2025-6965", "url": "https://ubuntu.com/security/CVE-2025-6965", "cve_description": "There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.", "cve_priority": "medium", "cve_public_date": "2025-07-15 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-7709", "url": "https://ubuntu.com/security/CVE-2025-7709", "cve_description": "An integer overflow exists in the FTS5 https://sqlite.org/fts5.html  extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-09-08 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in FTS5 extension", " - debian/patches/CVE-2025-7709.patch: optimize allocation of large", " tombstone arrays in fts5 in ext/fts5/fts5_index.c.", " - CVE-2025-7709", "" ], "package": "sqlite3", "version": "3.46.1-3ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 11 Sep 2025 14:03:41 -0400" }, { "cves": [ { "cve": "CVE-2025-6965", "url": "https://ubuntu.com/security/CVE-2025-6965", "cve_description": "There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.", "cve_priority": "medium", "cve_public_date": "2025-07-15 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Memory corruption via number of aggregate terms", " - debian/patches/CVE-2025-6965.patch: raise an error right away if the", " number of aggregate terms in a query exceeds the maximum number of", " columns in src/expr.c, src/sqliteInt.h.", " - CVE-2025-6965", "" ], "package": "sqlite3", "version": "3.46.1-3ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 18 Jul 2025 10:53:51 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-24.24", "version": "6.14.0-24.24" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-32.32", "version": "6.14.0-32.32" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-32.32", "" ], "package": "linux-meta", "version": "6.14.0-32.32", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Fri, 29 Aug 2025 11:56:33 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-30.30", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-30.30", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Wed, 13 Aug 2025 15:25:30 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-28.28", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-28.28", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:09:01 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-27.27", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-27.27", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Tue, 22 Jul 2025 16:57:16 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-26.26", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-26.26", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 11 Jul 2025 14:33:21 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.2", "version": "1:9.9p1-3ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 08:50:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.2", "version": "1:9.9p1-3ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 08:50:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.2", "version": "1:9.9p1-3ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111226 ], "changes": [ { "cves": [], "log": [ "", " * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111226 ], "author": "Nick Rosbrook ", "date": "Tue, 26 Aug 2025 08:50:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-2ubuntu0.1", "version": "5.40.1-2ubuntu0.1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-2ubuntu0.2", "version": "5.40.1-2ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-40909", "url": "https://ubuntu.com/security/CVE-2025-40909", "cve_description": "Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6", "cve_priority": "medium", "cve_public_date": "2025-05-30 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: threads race condition in file operations", " - debian/patches/fixes/CVE-2025-40909-metaconfig.diff: check for", " fdopendir in regen-configure/U/perl/d_fdopendir.U.", " - debian/patches/fixes/CVE-2025-40909-1.diff: clone dirhandles without", " fchdir in Configure, Cross/config.sh-arm-linux,", " Cross/config.sh-arm-linux-n770, Porting/Glossary, Porting/config.sh,", " config_h.SH, configure.com, plan9/config_sh.sample, sv.c,", " t/op/threads-dirh.t, win32/config.gc, win32/config.vc.", " - debian/patches/fixes/CVE-2025-40909-2.diff: minor corrections in", " Cross/config.sh-arm-linux, Cross/config.sh-arm-linux-n770,", " config_h.SH,plan9/config_sh.sample.", " - debian/patches/fixes/CVE-2025-40909-3.diff: use PerlLIO_dup_cloexec", " in Perl_dirp_dup to set O_CLOEXEC in sv.c.", " - debian/patches/fixes/CVE-2025-40909-metaconfig-reorder.diff: slightly", " reorder Configure and config_h.SH to match metaconfig output in", " Configure, config_h.SH.", " - CVE-2025-40909", "" ], "package": "perl", "version": "5.40.1-2ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 25 Jul 2025 13:26:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.04.17", "version": "1:25.04.17" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.04.18", "version": "1:25.04.18" }, "cves": [], "launchpad_bugs_fixed": [ 2111715 ], "changes": [ { "cves": [], "log": [ "", " * On RISC-V check for RVA23U64 compatibility (LP: #2111715)", "" ], "package": "ubuntu-release-upgrader", "version": "1:25.04.18", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111715 ], "author": "Heinrich Schuchardt ", "date": "Mon, 07 Jul 2025 17:03:16 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.2", "version": "3.13.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 09:23:40 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.2", "version": "3.13.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6069", "url": "https://ubuntu.com/security/CVE-2025-6069", "cve_description": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.", "cve_priority": "medium", "cve_public_date": "2025-06-17 14:15:00 UTC" }, { "cve": "CVE-2025-8194", "url": "https://ubuntu.com/security/CVE-2025-8194", "cve_description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "cve_priority": "medium", "cve_public_date": "2025-07-28 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Regular expression denial of service.", " - debian/patches/CVE-2025-6069.patch: Improve regex parsing in", " Lib/html/parser.py.", " - CVE-2025-6069", " * SECURITY UPDATE: Infinite loop when parsing tar archives.", " - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in", " Lib/tarfile.py.", " - CVE-2025-8194", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.3", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 14 Aug 2025 09:23:40 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.67.1+25.04", "version": "2.67.1+25.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.68.5+ubuntu25.04.2", "version": "2.68.5+ubuntu25.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2098137, 2109843, 2104933, 2099709, 2101834, 2089195, 2072987, 1712808, 1966203, 1886414, 2089691 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " -LP: #2109843 fix missing preseed files when running in a container", "" ], "package": "snapd", "version": "2.68.5+ubuntu25.04.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2098137, 2109843 ], "author": "Ernest Lotter ", "date": "Wed, 21 May 2025 17:46:09 +0200" }, { "cves": [], "log": [ "", " - Snap components: LP: #2104933 workaround for classic 24.04/24.10", " models that incorrectly specify core22 instead of core24", " - Update build dependencies", "" ], "package": "snapd", "version": "2.68.4+ubuntu25.04", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2104933 ], "author": "Ernest Lotter ", "date": "Wed, 02 Apr 2025 19:48:25 +0200" }, { "cves": [], "log": [ "", " - FDE: use boot mode for FDE hooks", " - FDE: add snap-bootstrap compatibility check to prevent image", " creation with incompatible snapd and kernel snap", " - FDE: add argon2 out-of-process KDF support", " - FDE: have separate mutex for the sections writing a fresh modeenv", " - FDE: LP: #2099709 update secboot to e07f4ae48e98", " - FDE: LP: #2101834 snapd 2.68+ and snap-bootstrap <2.68 fallback to", " old keyring path", " - Confdb: support pruning ephemeral data and process alternative", " types in order", " - core-initrd: look at env to mount directly to /sysroot", " - core-initrd: prepare for Plucky build and split out 24.10", " (Oracular)", " - Fix Plucky snapd deb build issue related to /var/lib/snapd/void", " permissions", " - Fix snapd deb build complaint about ifneq with extra bracket", " - Fix missing primed packages in snapd snap manifest", " - Interfaces: posix-mq | fix incorrect clobbering of global variable", " and make interface more precise", " - Interfaces: opengl | add more kernel fusion driver files", " - Fix snap-confine type specifier type mismatch on armhf", " - FDE: add support for new and more extensible key format that is", " unified between TPM and FDE hook", " - FDE: add support for adding passphrases during installation", " - FDE: update secboot to 30317622bbbc", " - Snap components: make kernel components available on firstboot", " after either initramfs or ephemeral rootfs style install", " - Snap components: mount drivers tree from initramfs so kernel", " modules are available in early boot stages", " - Snap components: support remodeling to models that contain", " components", " - Snap components: support offline remodeling to models that contain", " components", " - Snap components: support creating new recovery systems with", " components", " - Snap components: support downloading components with 'snap", " download' command", " - Snap components: support sideloading asserted components", " - AppArmor Prompting(experimental): improve version checks and", " handling of listener notification protocol for communication with", " kernel AppArmor", " - AppArmor Prompting(experimental): make prompt replies idempotent,", " and have at most one rule for any given path pattern, with", " potentially mixed outcomes and lifespans", " - AppArmor Prompting(experimental): timeout unresolved prompts after", " a period of client inactivity", " - AppArmor Prompting(experimental): return an error if a patch", " request to the API would result in a rule without any permissions", " - AppArmor Prompting(experimental): warn if there is no prompting", " client present but prompting is enabled, or if a prompting-related", " error occurs during snapd startup", " - AppArmor Prompting(experimental): do not log error when converting", " empty permissions to AppArmor permissions", " - Confdb(experimental): rename registries to confdbs (including API", " /v2/registries => /v2/confdb)", " - Confdb(experimental): support marking confdb schemas as ephemeral", " - Confdb(experimental): add confdb-control assertion and feature", " flag", " - Refresh App Awareness(experimental): LP: #2089195 prevent", " possibility of incorrect notification that snap will quit and", " update", " - Confidential VMs: snap-bootstrap support for loading partition", " information from a manifest file for cloudimg-rootfs mode", " - Confidential VMs: snap-bootstrap support for setting up cloudimg-", " rootfs as an overlayfs with integrity protection", " - dm-verity for essential snaps: add support for snap-integrity", " assertion", " - Interfaces: modify AppArmor template to allow owner read on", " @{PROC}/@{pid}/fdinfo/*", " - Interfaces: LP: #2072987 modify AppArmor template to allow using", " setpriv to run daemon as non-root user", " - Interfaces: add configfiles backend that ensures the state of", " configuration files in the filesystem", " - Interfaces: add ldconfig backend that exposes libraries coming", " from snaps to either the rootfs or to other snaps", " - Interfaces: LP: #1712808 disable udev backend when", " inside a container", " - Interfaces: add auditd-support interface that grants audit_control", " capability and required paths for auditd to function", " - Interfaces: add checkbox-support interface that allows", " unrestricted access to all devices", " - Interfaces: fwupd | allow access to dell bios recovery", " - Interfaces: fwupd | allow access to shim and fallback shim", " - Interfaces: mount-control | add mount option validator to detect", " mount option conflicts early", " - Interfaces: cpu-control | add read access to /sys/kernel/irq/", " - Interfaces: locale-control | changed to be implicit on Ubuntu Core", " Desktop", " - Interfaces: microstack-support | support for utilizing of AMD SEV", " capabilities", " - Interfaces: u2f | added missing OneSpan device product IDs", " - Interfaces: auditd-support | grant seccomp setpriority", " - Interfaces: opengl interface | enable parsing of nvidia driver", " information files", " - Interfaces: mount-control interface | add CIFS support", " - Allow mksquashfs 'xattrs' when packing snap types os, core, base", " and snapd as part of work to support non-root snap-confine", " - Upstream/downstream packaging changes and build updates", " - Improve error logs for malformed desktop files to also show which", " desktop file is at fault", " - Provide more precise error message when overriding channels with", " grade during seed creation", " - Expose 'snap prepare-image' validation parameter", " - Add snap-seccomp 'dump' command that dumps the filter rules from a", " compiled profile", " - Add fallback release info location /etc/initrd-release", " - Added core-initrd to snapd repo and fixed issues with ubuntu-core-", " initramfs deb builds", " - Remove stale robust-mount-namespace-updates experimental feature", " flag", " - Remove snapd-snap experimental feature (rejected) and it's feature", " flag", " - Changed snap-bootstrap to mount base directly on /sysroot", " - Mount ubuntu-seed mounted as no-{suid,exec,dev}", " - Mapping volumes to disks: add support for volume-assignments in", " gadget", " - Fix silently broken binaries produced by distro patchelf 0.14.3 by", " using locally build patchelf 0.18", " - Fix mismatch between listed refresh candidates and actual refresh", " due to outdated validation sets", " - Fix 'snap get' to produce compact listing for tty", " - Fix missing store-url by keeping it as part of auxiliary store", " info", " - Fix snap-confine attempting to retrieve device cgroup setup inside", " container where it is not available", " - Fix 'snap set' and 'snap get' panic on empty strings with early", " error checking", " - Fix logger debug entries to show correct caller and file", " information", " - Fix issue preventing hybrid systems from being seeded on first", " boot", " - LP: #1966203 remove auto-import udev rules not required by deb", " package to avoid unwanted syslog errors", " - LP: #1886414 fix progress reporting when stdout is on a tty, but", " stdin is not", "" ], "package": "snapd", "version": "2.68.3+ubuntu25.04.3", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2099709, 2101834, 2089195, 2072987, 1712808, 1966203, 1886414 ], "author": "Ernest Lotter ", "date": "Mon, 10 Mar 2025 20:13:38 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2089691", " - AppArmor prompting (experimental): allow overlapping rules", " - Registry view (experimental): Changes to registry data (from both", " users and snaps) can be validated and saved by custodian snaps", " - Registry view (experimental): Support 'snapctl get --pristine' to", " read the registry data excluding staged transaction changes", " - Registry view (experimental): Put registry commands behind", " experimental feature flag", " - Components: Make modules shipped/created by kernel-modules", " components available right after reboot", " - Components: Add tab completion for local component files", " - Components: Allow installing snaps and components from local files", " jointly on the CLI", " - Components: Allow 'snapctl model' command for gadget and kernel", " snaps", " - Components: Add 'snap components' command", " - Components: Bug fixes", " - eMMC gadget updates (WIP): add syntax support in gadget.yaml for", " eMMC schema", " - Support for ephemeral recovery mode on hybrid systems", " - Support for dm-verity options in snap-bootstrap", " - Support for overlayfs options and allow empty what argument for", " tmpfs", " - Enable ubuntu-image to determine the size of the disk image to", " create", " - Expose 'snap debug' commands 'validate-seed' and 'seeding'", " - Add debug API option to use dedicated snap socket /run/snapd-", " snap.socket", " - Hide experimental features that are no longer required", " (accepted/rejected)", " - Mount ubuntu-save partition with no{exec,dev,suid} at install, run", " and factory-reset", " - Improve memory controller support with cgroup v2", " - Support ssh socket activation configurations (used by ubuntu", " 22.10+)", " - Fix generation of AppArmor profile with incorrect revision during", " multi snap refresh", " - Fix refresh app awareness related deadlock edge case", " - Fix not caching delta updated snap download", " - Fix passing non root uid, guid to initial tmpfs mount", " - Fix ignoring snaps in try mode when amending", " - Fix reloading of service activation units to avoid systemd errors", " - Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS", " updates PPA", " - Make killing of snap apps best effort to avoid possibility of", " malicious failure loop", " - Alleviate impact of auto-refresh failure loop with progressive", " delay", " - Dropped timedatex in selinux-policy to avoid runtime issue", " - Fix missing syscalls in seccomp profile", " - Modify AppArmor template to allow using SNAP_REEXEC on arch", " systems", " - Modify AppArmor template to allow using vim.tiny (available in", " base snaps)", " - Modify AppArmor template to add read-access to debian_version", " - Modify AppArmor template to allow owner to read", " @{PROC}/@{pid}/sessionid", " - {common,personal,system}-files interface: prohibit trailing @ in", " filepaths", " - {desktop,shutdown,system-observe,upower-observe} interface:", " improve for Ubuntu Core Desktop", " - custom-device interface: allow @ in custom-device filepaths", " - desktop interface: improve launch entry and systray integration", " with session", " - desktop-legacy interface: allow DBus access to", " com.canonical.dbusmenu", " - fwupd interface: allow access to nvmem for thunderbolt plugin", " - mpris interface: add plasmashell as label", " - mount-control interface: add support for nfs mounts", " - network-{control,manager} interface: add missing dbus link rules", " - network-manager-observe interface: add getDevices methods", " - opengl interface: add Kernel Fusion Driver access to opengl", " - screen-inhibit-control interface: improve screen inhibit control", " for use on core", " - udisks2 interface: allow ping of the UDisks2 service", " - u2f-devices interface: add Nitrokey Passkey", "" ], "package": "snapd", "version": "2.67", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2089691 ], "author": "Ernest Lotter ", "date": "Mon, 02 Dec 2024 23:14:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-drivers-common", "from_version": { "source_package_name": "ubuntu-drivers-common", "source_package_version": "1:0.10.2", "version": "1:0.10.2" }, "to_version": { "source_package_name": "ubuntu-drivers-common", "source_package_version": "1:0.10.2.1", "version": "1:0.10.2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2115537 ], "changes": [ { "cves": [], "log": [ "", " * Clarify gpgpu flag help text (LP: #2115537)", "" ], "package": "ubuntu-drivers-common", "version": "1:0.10.2.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2115537 ], "author": "Mitchell Augustin ", "date": "Tue, 01 Jul 2025 16:47:38 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.04.17", "version": "1:25.04.17" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.04.18", "version": "1:25.04.18" }, "cves": [], "launchpad_bugs_fixed": [ 2111715 ], "changes": [ { "cves": [], "log": [ "", " * On RISC-V check for RVA23U64 compatibility (LP: #2111715)", "" ], "package": "ubuntu-release-upgrader", "version": "1:25.04.18", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111715 ], "author": "Heinrich Schuchardt ", "date": "Mon, 07 Jul 2025 17:03:16 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.1", "version": "257.4-1ubuntu3.1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.4-1ubuntu3.2", "version": "257.4-1ubuntu3.2" }, "cves": [], "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "changes": [ { "cves": [], "log": [ "", " [ Ural Tunaboyu ]", " * analyze: don't connect to the private bus on test runs (LP: #2111107):", " - analyze: don't connect to bus from analyze test run", " - pid1: don't connect to oomd in test runs", " - manager: explicitly create our private runtime directory", "", " [ Mario Limonciello ]", " * Drop support for using actual brightness (LP: #2110585)", "", " [ Chengen Du ]", " * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist", " (LP: #2115418)", "" ], "package": "systemd", "version": "257.4-1ubuntu3.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2111107, 2110585, 2115418 ], "author": "Ural Tunaboyu ", "date": "Tue, 29 Jul 2025 09:20:02 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0967-1ubuntu4", "version": "2:9.1.0967-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0967-1ubuntu4.1", "version": "2:9.1.0967-1ubuntu4.1" }, "cves": [ { "cve": "CVE-2025-53905", "url": "https://ubuntu.com/security/CVE-2025-53905", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" }, { "cve": "CVE-2025-53906", "url": "https://ubuntu.com/security/CVE-2025-53906", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-53905", "url": "https://ubuntu.com/security/CVE-2025-53905", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" }, { "cve": "CVE-2025-53906", "url": "https://ubuntu.com/security/CVE-2025-53906", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-07-15 21:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path traversal when opening specially crafted tar/zip", " archives.", " - debian/patches/CVE-2025-53905.patch: Replace \"echohl Error\" with call,", " remove leading slashes from name, replace tar_secure with g:tar_secure in", " runtime/autoload/tar.vim.", " - debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w,", " call warning for path traversal attack, and escape leading \"../\" in", " runtime/autoload/zip.vim.", " - CVE-2025-53905", " - CVE-2025-53906", "" ], "package": "vim", "version": "2:9.1.0967-1ubuntu4.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 27 Aug 2025 17:17:04 -0230" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.14.0-32-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-24.24", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-32.32", "version": "6.14.0-32.32" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-32.32", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-32.32", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 29 Aug 2025 11:56:13 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-30.30", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-30.30", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Wed, 13 Aug 2025 15:25:59 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-28.28", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-28.28", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:08:28 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-27.27", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-27.27", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Tue, 22 Jul 2025 16:46:56 +0200" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-26.26", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-26.26", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Fri, 11 Jul 2025 14:32:35 +0200" } ], "notes": "linux-image-6.14.0-32-generic version '6.14.0-32.32' (source package linux-signed version '6.14.0-32.32') was added. linux-image-6.14.0-32-generic version '6.14.0-32.32' has the same source package name, linux-signed, as removed package linux-image-6.14.0-24-generic. As such we can use the source package version of the removed package, '6.14.0-24.24', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-32-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-24.24", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.14.0-32.32", "version": "6.14.0-32.32" }, "cves": [ { "cve": "CVE-2025-38105", "url": "https://ubuntu.com/security/CVE-2025-38105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(), so that the timer can be killed properly. While we're at it, replace the existing timer_delete_sync() at the disconnect callback with timer_shutdown_sync(), too.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38114", "url": "https://ubuntu.com/security/CVE-2025-38114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: e1000: Move cancel_work_sync to avoid deadlock Previously, e1000_down called cancel_work_sync for the e1000 reset task (via e1000_down_and_stop), which takes RTNL. As reported by users and syzbot, a deadlock is possible in the following scenario: CPU 0: - RTNL is held - e1000_close - e1000_down - cancel_work_sync (cancel / wait for e1000_reset_task()) CPU 1: - process_one_work - e1000_reset_task - take RTNL To remedy this, avoid calling cancel_work_sync from e1000_down (e1000_reset_task does nothing if the device is down anyway). Instead, call cancel_work_sync for e1000_reset_task when the device is being removed.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38116", "url": "https://ubuntu.com/security/CVE-2025-38116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequent access to this notifier chain. Fixes the issue by calling ath12k_core_panic_notifier_unregister() in failure cases. Call trace: notifier_chain_register+0x4c/0x1f0 (P) atomic_notifier_chain_register+0x38/0x68 ath12k_core_init+0x50/0x4e8 [ath12k] ath12k_pci_probe+0x5f8/0xc28 [ath12k] pci_device_probe+0xbc/0x1a8 really_probe+0xc8/0x3a0 __driver_probe_device+0x84/0x1b0 driver_probe_device+0x44/0x130 __driver_attach+0xcc/0x208 bus_for_each_dev+0x84/0x100 driver_attach+0x2c/0x40 bus_add_driver+0x130/0x260 driver_register+0x70/0x138 __pci_register_driver+0x68/0x80 ath12k_pci_init+0x30/0x68 [ath12k] ath12k_init+0x28/0x78 [ath12k] Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38306", "url": "https://ubuntu.com/security/CVE-2025-38306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/fhandle.c: fix a race in call of has_locked_children() may_decode_fh() is calling has_locked_children() while holding no locks. That's an oopsable race... The rest of the callers are safe since they are holding namespace_sem and are guaranteed a positive refcount on the mount in question. Rename the current has_locked_children() to __has_locked_children(), make it static and switch the fs/namespace.c users to it. Make has_locked_children() a wrapper for __has_locked_children(), calling the latter under read_seqlock_excl(&mount_lock).", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38272", "url": "https://ubuntu.com/security/CVE-2025-38272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. If one of these PHYs are EEE capable, we may try to enable EEE for the MACs, which then hangs the system on access of the (non-existent) EEE registers. Fix this by checking if the switch actually supports EEE before attempting to configure it.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38311", "url": "https://ubuntu.com/security/CVE-2025-38311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock. That frees us from the error prone logic of try_locks. Thanks to netdev_lock() by Jakub it is now easy, and in most cases we were protected by it already - replace crit lock by netdev lock when it was not the case. Lockdep reports that we should cancel the work under crit_lock [splat1], and that was the scheme we have mostly followed since [1] by Slawomir. But when that is done we still got into deadlocks [splat2]. So instead we should look at the bigger problem, namely \"weird locking/scheduling\" of the iavf. The first step to fix that is to remove the crit lock. I will followup with a -next series that simplifies scheduling/tasks. Cancel the work without netdev lock (weird unlock+lock scheme), to fix the [splat2] (which would be totally ugly if we would kept the crit lock). Extend protected part of iavf_watchdog_task() to include scheduling more work. Note that the removed comment in iavf_reset_task() was misplaced, it belonged to inside of the removed if condition, so it's gone now. [splat1] - w/o this patch - The deadlock during VF removal: WARNING: possible circular locking dependency detected sh/3825 is trying to acquire lock: ((work_completion)(&(&adapter->watchdog_task)->work)){+.+.}-{0:0}, at: start_flush_work+0x1a1/0x470 but task is already holding lock: (&adapter->crit_lock){+.+.}-{4:4}, at: iavf_remove+0xd1/0x690 [iavf] which lock already depends on the new lock. [splat2] - when cancelling work under crit lock, w/o this series, \t see [2] for the band aid attempt WARNING: possible circular locking dependency detected sh/3550 is trying to acquire lock: ((wq_completion)iavf){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: (&dev->lock){+.+.}-{4:4}, at: iavf_remove+0xa6/0x6e0 [iavf] which lock already depends on the new lock. [1] fc2e6b3b132a (\"iavf: Rework mutexes for better synchronisation\") [2] https://github.com/pkitszel/linux/commit/52dddbfc2bb60294083f5711a158a", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38128", "url": "https://ubuntu.com/security/CVE-2025-38128", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands In 'mgmt_hci_cmd_sync()', check whether the size of parameters passed in 'struct mgmt_cp_hci_cmd_sync' matches the total size of the data (i.e. 'sizeof(struct mgmt_cp_hci_cmd_sync)' plus trailing bytes). Otherwise, large invalid 'params_len' will cause 'hci_cmd_sync_alloc()' to do 'skb_put_data()' from an area beyond the one actually passed to 'mgmt_hci_cmd_sync()'.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38130", "url": "https://ubuntu.com/security/CVE-2025-38130", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/connector: only call HDMI audio helper plugged cb if non-null On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb with NULL as the callback function and codec_dev, as seen in its hdmi_remove function. The HDMI audio helper then happily tries calling said null function pointer, and produces an Oops as a result. Fix this by only executing the callback if fn is non-null. This means the .plugged_cb and .plugged_cb_dev members still get appropriately cleared.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38132", "url": "https://ubuntu.com/security/CVE-2025-38132", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() cscfg_remove_owned_csdev_configs() // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) iterating config_csdev_list could be raced with config_csdev_list's entry delete. To resolve this race , hold csdev->cscfg_csdev_lock() while cscfg_remove_owned_csdev_configs()", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38137", "url": "https://ubuntu.com/security/CVE-2025-38137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Cancel outstanding rescan work when unregistering It's possible to trigger use-after-free here by: (a) forcing rescan_work_func() to take a long time and (b) utilizing a pwrctrl driver that may be unloaded for some reason Cancel outstanding work to ensure it is finished before we allow our data structures to be cleaned up. [bhelgaas: tidy commit log]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38139", "url": "https://ubuntu.com/security/CVE-2025-38139", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfs: Fix oops in write-retry from mis-resetting the subreq iterator Fix the resetting of the subrequest iterator in netfs_retry_write_stream() to use the iterator-reset function as the iterator may have been shortened by a previous retry. In such a case, the amount of data to be written by the subrequest is not \"subreq->len\" but \"subreq->len - subreq->transferred\". Without this, KASAN may see an error in iov_iter_revert(): BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147 CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound netfs_write_collection_worker Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 iov_iter_revert lib/iov_iter.c:633 [inline] iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline] netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231 netfs_collect_write_results fs/netfs/write_collect.c:352 [inline] netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38140", "url": "https://ubuntu.com/security/CVE-2025-38140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: limit swapping tables for devices with zone write plugs dm_revalidate_zones() only allowed new or previously unzoned devices to call blk_revalidate_disk_zones(). If the device was already zoned, disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones() returned without doing any work. This would make the zoned settings for the device not match the new table. If the device had zone write plug resources, it could run into errors like bdev_zone_is_seq() reading invalid memory because disk->conv_zones_bitmap was the wrong size. If the device doesn't have any zone write plug resources, calling blk_revalidate_disk_zones() will always correctly update device. If blk_revalidate_disk_zones() fails, it can still overwrite or clear the current disk->nr_zones value. In this case, DM must restore the previous value of disk->nr_zones, so that the zoned settings will continue to match the previous value that it fell back to. If the device already has zone write plug resources, blk_revalidate_disk_zones() will not correctly update them, if it is called for arbitrary zoned device changes. Since there is not much need for this ability, the easiest solution is to disallow any table reloads that change the zoned settings, for devices that already have zone plug resources. Specifically, if a device already has zone plug resources allocated, it can only switch to another zoned table that also emulates zone append. Also, it cannot change the device size or the zone size. A device can switch to an error target.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38279", "url": "https://ubuntu.com/security/CVE-2025-38279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Do not include stack ptr register in precision backtracking bookkeeping Yi Lai reported an issue ([1]) where the following warning appears in kernel dmesg: [ 60.643604] verifier backtracking bug [ 60.643635] WARNING: CPU: 10 PID: 2315 at kernel/bpf/verifier.c:4302 __mark_chain_precision+0x3a6c/0x3e10 [ 60.648428] Modules linked in: bpf_testmod(OE) [ 60.650471] CPU: 10 UID: 0 PID: 2315 Comm: test_progs Tainted: G OE 6.15.0-rc4-gef11287f8289-dirty #327 PREEMPT(full) [ 60.654385] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 60.656682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 60.660475] RIP: 0010:__mark_chain_precision+0x3a6c/0x3e10 [ 60.662814] Code: 5a 30 84 89 ea e8 c4 d9 01 00 80 3d 3e 7d d8 04 00 0f 85 60 fa ff ff c6 05 31 7d d8 04 01 48 c7 c7 00 58 30 84 e8 c4 06 a5 ff <0f> 0b e9 46 fa ff ff 48 ... [ 60.668720] RSP: 0018:ffff888116cc7298 EFLAGS: 00010246 [ 60.671075] RAX: 54d70e82dfd31900 RBX: ffff888115b65e20 RCX: 0000000000000000 [ 60.673659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 00000000ffffffff [ 60.676241] RBP: 0000000000000400 R08: ffff8881f6f23bd3 R09: 1ffff1103ede477a [ 60.678787] R10: dffffc0000000000 R11: ffffed103ede477b R12: ffff888115b60ae8 [ 60.681420] R13: 1ffff11022b6cbc4 R14: 00000000fffffff2 R15: 0000000000000001 [ 60.684030] FS: 00007fc2aedd80c0(0000) GS:ffff88826fa8a000(0000) knlGS:0000000000000000 [ 60.686837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 60.689027] CR2: 000056325369e000 CR3: 000000011088b002 CR4: 0000000000370ef0 [ 60.691623] Call Trace: [ 60.692821] [ 60.693960] ? __pfx_verbose+0x10/0x10 [ 60.695656] ? __pfx_disasm_kfunc_name+0x10/0x10 [ 60.697495] check_cond_jmp_op+0x16f7/0x39b0 [ 60.699237] do_check+0x58fa/0xab10 ... Further analysis shows the warning is at line 4302 as below: 4294 /* static subprog call instruction, which 4295 * means that we are exiting current subprog, 4296 * so only r1-r5 could be still requested as 4297 * precise, r0 and r6-r10 or any stack slot in 4298 * the current frame should be zero by now 4299 */ 4300 if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) { 4301 verbose(env, \"BUG regs %x\\n\", bt_reg_mask(bt)); 4302 WARN_ONCE(1, \"verifier backtracking bug\"); 4303 return -EFAULT; 4304 } With the below test (also in the next patch): __used __naked static void __bpf_jmp_r10(void) { \tasm volatile ( \t\"r2 = 2314885393468386424 ll;\" \t\"goto +0;\" \t\"if r2 <= r10 goto +3;\" \t\"if r1 >= -1835016 goto +0;\" \t\"if r2 <= 8 goto +0;\" \t\"if r3 <= 0 goto +0;\" \t\"exit;\" \t::: __clobber_all); } SEC(\"?raw_tp\") __naked void bpf_jmp_r10(void) { \tasm volatile ( \t\"r3 = 0 ll;\" \t\"call __bpf_jmp_r10;\" \t\"r0 = 0;\" \t\"exit;\" \t::: __clobber_all); } The following is the verifier failure log: 0: (18) r3 = 0x0 ; R3_w=0 2: (85) call pc+2 caller: R10=fp0 callee: frame1: R1=ctx() R3_w=0 R10=fp0 5: frame1: R1=ctx() R3_w=0 R10=fp0 ; asm volatile (\" \\ @ verifier_precision.c:184 5: (18) r2 = 0x20202000256c6c78 ; frame1: R2_w=0x20202000256c6c78 7: (05) goto pc+0 8: (bd) if r2 <= r10 goto pc+3 ; frame1: R2_w=0x20202000256c6c78 R10=fp0 9: (35) if r1 >= 0xffe3fff8 goto pc+0 ; frame1: R1=ctx() 10: (b5) if r2 <= 0x8 goto pc+0 mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1 mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0 mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3 mark_preci ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38314", "url": "https://ubuntu.com/security/CVE-2025-38314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Fix result size returned for the admin command completion The result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes larger than the actual result data size. This occurs because the result_sg_size field of the command is filled with the result length from virtqueue_get_buf(), which includes both the data size and an additional 8 bytes of status. This oversized result size causes two issues: 1. The state transferred to the destination includes 8 bytes of extra data at the end. 2. The allocated buffer in the kernel may be smaller than the returned size, leading to failures when reading beyond the allocated size. The commit fixes this by subtracting the status size from the result of virtqueue_get_buf(). This fix has been tested through live migrations with virtio-net, virtio-net-transitional, and virtio-blk devices.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38316", "url": "https://ubuntu.com/security/CVE-2025-38316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor() The function mt7996_set_monitor() dereferences phy before the NULL sanity check. Fix this to avoid NULL pointer dereference by moving the dereference after the check.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38281", "url": "https://ubuntu.com/security/CVE-2025-38281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt7996_thermal_init() is not checked. Add NULL check in mt7996_thermal_init(), to handle kernel NULL pointer dereference error.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38284", "url": "https://ubuntu.com/security/CVE-2025-38284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA. With NULL mmap address, kernel throws trace: BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38287", "url": "https://ubuntu.com/security/CVE-2025-38287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. The cm_id lock is not needed in this case, but a recent change re-used cm_free_priv_msg(), which asserts that the lock is held and WARNs if the cm_id's currently outstanding msg is different than the one being freed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38289", "url": "https://ubuntu.com/security/CVE-2025-38289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling. Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38291", "url": "https://ubuntu.com/security/CVE-2025-38291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace. Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery. Call Trace: dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k] ? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k] _raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_htc_send+0x178/0x390 [ath12k] ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k] ath12k_wmi_cmd_send+0x62/0x190 [ath12k] ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1 ath12k_mac_op_get_survey+0x2be/0x310 [ath12k] ieee80211_dump_survey+0x99/0x240 [mac80211] nl80211_dump_survey+0xe7/0x470 [cfg80211] ? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211] ? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 ____sys_sendmsg+0x1e4/0x260 ___sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38294", "url": "https://ubuntu.com/security/CVE-2025-38294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix NULL access in assign channel context handler Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid radio handle access by moving to the hardware debug logging helper function (ath12k_hw_warn). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38296", "url": "https://ubuntu.com/security/CVE-2025-38296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: platform_profile: Avoid initializing on non-ACPI platforms The platform profile driver is loaded even on platforms that do not have ACPI enabled. The initialization of the sysfs entries was recently moved from platform_profile_register() to the module init call, and those entries need acpi_kobj to be initialized which is not the case when ACPI is disabled. This results in the following warning: WARNING: CPU: 5 PID: 1 at fs/sysfs/group.c:131 internal_create_group+0xa22/0xdd8 Modules linked in: CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.15.0-rc7-dirty #6 PREEMPT Tainted: [W]=WARN Hardware name: riscv-virtio,qemu (DT) epc : internal_create_group+0xa22/0xdd8 ra : internal_create_group+0xa22/0xdd8 Call Trace: internal_create_group+0xa22/0xdd8 sysfs_create_group+0x22/0x2e platform_profile_init+0x74/0xb2 do_one_initcall+0x198/0xa9e kernel_init_freeable+0x6d8/0x780 kernel_init+0x28/0x24c ret_from_fork+0xe/0x18 Fix this by checking if ACPI is enabled before trying to create sysfs entries. [ rjw: Subject and changelog edits ]", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38100", "url": "https://ubuntu.com/security/CVE-2025-38100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38101", "url": "https://ubuntu.com/security/CVE-2025-38101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38267", "url": "https://ubuntu.com/security/CVE-2025-38267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that it should never have missed events. If it does, it triggers a WARN_ON_ONCE(). But there just happens to be one scenario where this can legitimately happen. That is on a commit_overrun. A commit overrun is when an interrupt preempts an event being written to the buffer and then the interrupt adds so many new events that it fills and wraps the buffer back to the commit. Any new events would then be dropped and be reported as \"missed_events\". In this case, the next page to read is the commit buffer and after the swap of the reader page, the reader page will be the commit buffer, but this time there will be missed events and this triggers the following warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace: ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90 irq event stamp: 5080 hardirqs last enabled at (5079): [] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [] __irq_exit_rcu+0x107/0x210 ---[ end trace 0000000000000000 ]--- The above was triggered by running on a kernel with both lockdep and KASAN as well as kmemleak enabled and executing the following command: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 With perf interjecting a lot of interrupts and trace-cmd enabling all events as well as function tracing, with lockdep, KASAN and kmemleak enabled, it could cause an interrupt preempting an event being written to add enough event ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38268", "url": "https://ubuntu.com/security/CVE-2025-38268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below: [110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20 [110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20 Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38102", "url": "https://ubuntu.com/security/CVE-2025-38102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace: follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]--- Digging into the source, context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow: cpu0\t\t\tcpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page \t\t\tvmci_host_do_set_notify \t\t\tvmci_ctx_unset_notify \t\t\tnotify_page = context->notify_page; \t\t\tif (notify_page) \t\t\tput_page(notify_page);\t// page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here To slove this, use local variable page to make notify_page can be seen after finish get_user_pages_fast.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38301", "url": "https://ubuntu.com/security/CVE-2025-38301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 (\"nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup\") changed the driver to expect the device pointer to be passed as the \"context\", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38352", "url": "https://ubuntu.com/security/CVE-2025-38352", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.", "cve_priority": "high", "cve_public_date": "2025-07-22 08:15:00 UTC" }, { "cve": "CVE-2025-38103", "url": "https://ubuntu.com/security/CVE-2025-38103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38302", "url": "https://ubuntu.com/security/CVE-2025-38302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work Bios queued up in the zone write plug have already gone through all all preparation in the submit_bio path, including the freeze protection. Submitting them through submit_bio_noacct_nocheck duplicates the work and can can cause deadlocks when freezing a queue with pending bio write plugs. Go straight to ->submit_bio or blk_mq_submit_bio to bypass the superfluous extra freeze protection and checks.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38106", "url": "https://ubuntu.com/security/CVE-2025-38106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xd0/0x670 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __io_uring_show_fdinfo+0x9fe/0x1790 ? ksys_read+0xf7/0x1c0 ? do_syscall_64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? __pfx___io_uring_show_fdinfo+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 ? mutex_trylock+0xcf/0x130 ? __pfx_mutex_trylock+0x10/0x10 ? __pfx_show_fd_locks+0x10/0x10 ? io_uring_show_fdinfo+0x57/0x80 io_uring_show_fdinfo+0x57/0x80 seq_show+0x38c/0x690 seq_read_iter+0x3f7/0x1180 ? inode_set_ctime_current+0x160/0x4b0 seq_read+0x271/0x3e0 ? __pfx_seq_read+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? __mark_inode_dirty+0x402/0x810 ? selinux_file_permission+0x368/0x500 ? file_update_time+0x10f/0x160 vfs_read+0x177/0xa40 ? __pfx___handle_mm_fault+0x10/0x10 ? __pfx_vfs_read+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfx_mutex_lock+0x10/0x10 ? fdget_pos+0x24d/0x4b0 ksys_read+0xf7/0x1c0 ? __pfx_ksys_read+0x10/0x10 ? do_user_addr_fault+0x43b/0x9c0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 298: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_node_noprof+0xe8/0x330 copy_process+0x376/0x5e00 create_io_thread+0xab/0xf0 io_sq_offload_create+0x9ed/0xf20 io_uring_setup+0x12b0/0x1cc0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 22: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0xc4/0x360 rcu_core+0x5ff/0x19f0 handle_softirqs+0x18c/0x530 run_ksoftirqd+0x20/0x30 smpboot_thread_fn+0x287/0x6c0 kthread+0x30d/0x630 ret_from_fork+0xef/0x1a0 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __call_rcu_common.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __cond_resched+0x4c/0x80 mutex_lock+0x5c/0xe0 io_uring_del_tctx_node+0xe1/0x2b0 io_uring_clean_tctx+0xb7/0x160 io_uring_cancel_generic+0x34e/0x760 do_exit+0x240/0x2350 do_group_exit+0xab/0x220 __x64_sys_exit_group+0x39/0x40 x64_sys_call+0x1243/0x1840 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980) which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre relase or exit of sq->thread. Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38269", "url": "https://ubuntu.com/security/CVE-2025-38269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38270", "url": "https://ubuntu.com/security/CVE-2025-38270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: drv: netdevsim: don't napi_complete() from netpoll netdevsim supports netpoll. Make sure we don't call napi_complete() from it, since it may not be scheduled. Breno reports hitting a warning in napi_complete_done(): WARNING: CPU: 14 PID: 104 at net/core/dev.c:6592 napi_complete_done+0x2cc/0x560 __napi_poll+0x2d8/0x3a0 handle_softirqs+0x1fe/0x710 This is presumably after netpoll stole the SCHED bit prematurely.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38107", "url": "https://ubuntu.com/security/CVE-2025-38107", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38108", "url": "https://ubuntu.com/security/CVE-2025-38108", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38109", "url": "https://ubuntu.com/security/CVE-2025-38109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core] [] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core] [] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core] [] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core] [] mlx5_sriov_detach+0x40/0x50 [mlx5_core] [] mlx5_unload+0x40/0xc4 [mlx5_core] [] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core] [] mlx5_unload_one+0x3c/0x60 [mlx5_core] [] shutdown+0x7c/0xa4 [mlx5_core] [] pci_device_shutdown+0x3c/0xa0 [] device_shutdown+0x170/0x340 [] __do_sys_reboot+0x1f4/0x2a0 [] __arm64_sys_reboot+0x2c/0x40 [] invoke_syscall+0x78/0x100 [] el0_svc_common.constprop.0+0x54/0x184 [] do_el0_svc+0x30/0xac [] el0_svc+0x48/0x160 [] el0t_64_sync_handler+0xa4/0x12c [] el0t_64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38303", "url": "https://ubuntu.com/security/CVE-2025-38303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38304", "url": "https://ubuntu.com/security/CVE-2025-38304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38110", "url": "https://ubuntu.com/security/CVE-2025-38110", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38111", "url": "https://ubuntu.com/security/CVE-2025-38111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38112", "url": "https://ubuntu.com/security/CVE-2025-38112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereference. Ensure the function pointer does not turn NULL after the check.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38113", "url": "https://ubuntu.com/security/CVE-2025-38113", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8 ... [ 0.403255] [] cppc_allow_fast_switch+0x6a/0xd4 ... Kernel panic - not syncing: Attempted to kill init! [ rjw: New subject ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38088", "url": "https://ubuntu.com/security/CVE-2025-38088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size.", "cve_priority": "medium", "cve_public_date": "2025-06-30 08:15:00 UTC" }, { "cve": "CVE-2025-38115", "url": "https://ubuntu.com/security/CVE-2025-38115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K to-lb tso off # force qdisc to requeue gso_skb ip netns exec lb ethtool -K in-lb gro on # enable NAPI ip link set dev to-lb up ip -netns lb link set dev in-lb up ip addr add dev to-lb 192.168.20.1/24 ip -netns lb addr add dev in-lb 192.168.20.2/24 tc qdisc replace dev to-lb root sfq limit 100 ip netns exec lb netserver netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 &", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38414", "url": "https://ubuntu.com/security/CVE-2025-38414", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash on some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to register table to allow different definitions. Then correct the register address for WCN7850 to fix this issue. Note IPQ5332 is not affected as it is not PCIe based device. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-25 14:15:00 UTC" }, { "cve": "CVE-2025-38305", "url": "https://ubuntu.com/security/CVE-2025-38305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38117", "url": "https://ubuntu.com/security/CVE-2025-38117", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379 hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223 pending_find net/bluetooth/mgmt.c:947 [inline] remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445 hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x25c/0x378 net/socket.c:1131 new_sync_write fs/read_write.c:591 [inline] vfs_write+0x62c/0x97c fs/read_write.c:684 ksys_write+0x120/0x210 fs/read_write.c:736 __do_sys_write fs/read_write.c:747 [inline] __se_sys_write fs/read_write.c:744 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:744 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 7037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198 sk_alloc+0x44/0x3ac net/core/sock.c:2254 bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148 hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202 bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132 __sock_create+0x43c/0x91c net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0xd4/0x1c0 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1695 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6607: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38118", "url": "https://ubuntu.com/security/CVE-2025-38118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38119", "url": "https://ubuntu.com/security/CVE-2025-38119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has been called instead of before. Backtrace: __switch_to+0x174/0x338 __schedule+0x600/0x9e4 schedule+0x7c/0xe8 schedule_timeout+0xa4/0x1c8 io_schedule_timeout+0x48/0x70 wait_for_common_io+0xa8/0x160 //waiting on START_STOP wait_for_completion_io_timeout+0x10/0x20 blk_execute_rq+0xe4/0x1e4 scsi_execute_cmd+0x108/0x244 ufshcd_set_dev_pwr_mode+0xe8/0x250 __ufshcd_wl_resume+0x94/0x354 ufshcd_wl_runtime_resume+0x3c/0x174 scsi_runtime_resume+0x64/0xa4 rpm_resume+0x15c/0xa1c __pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing ufshcd_err_handler+0x1a0/0xd08 process_one_work+0x174/0x808 worker_thread+0x15c/0x490 kthread+0xf4/0x1ec ret_from_fork+0x10/0x20 [ bvanassche: rewrote patch description ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38307", "url": "https://ubuntu.com/security/CVE-2025-38307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element at index 0 ends with null-ptr-deref.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38310", "url": "https://ubuntu.com/security/CVE-2025-38310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38120", "url": "https://ubuntu.com/security/CVE-2025-38120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38122", "url": "https://ubuntu.com/security/CVE-2025-38122", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fails. This improves robustness in low-memory scenarios.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38123", "url": "https://ubuntu.com/security/CVE-2025-38123", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix napi rx poll issue When driver handles the napi rx polling requests, the netdev might have been released by the dellink logic triggered by the disconnect operation on user plane. However, in the logic of processing skb in polling, an invalid netdev is still being used, which causes a panic. BUG: kernel NULL pointer dereference, address: 00000000000000f1 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:dev_gro_receive+0x3a/0x620 [...] Call Trace: ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)] ? dev_gro_receive+0x3a/0x620 napi_gro_receive+0xad/0x170 t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)] t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)] net_rx_action+0x103/0x470 irq_exit_rcu+0x13a/0x310 sysvec_apic_timer_interrupt+0x56/0x90 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38124", "url": "https://ubuntu.com/security/CVE-2025-38124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after pull from frag_list\") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38125", "url": "https://ubuntu.com/security/CVE-2025-38125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38126", "url": "https://ubuntu.com/security/CVE-2025-38126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38127", "url": "https://ubuntu.com/security/CVE-2025-38127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: fix Tx scheduler error handling in XDP callback When the XDP program is loaded, the XDP callback adds new Tx queues. This means that the callback must update the Tx scheduler with the new queue number. In the event of a Tx scheduler failure, the XDP callback should also fail and roll back any changes previously made for XDP preparation. The previous implementation had a bug that not all changes made by the XDP callback were rolled back. This caused the crash with the following call trace: [ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5 [ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI [ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary) [ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 [ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice] [...] [ +0.002715] Call Trace: [ +0.002452] [ +0.002021] ? __die_body.cold+0x19/0x29 [ +0.003922] ? die_addr+0x3c/0x60 [ +0.003319] ? exc_general_protection+0x17c/0x400 [ +0.004707] ? asm_exc_general_protection+0x26/0x30 [ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice] [ +0.004835] ice_napi_poll+0x665/0x680 [ice] [ +0.004320] __napi_poll+0x28/0x190 [ +0.003500] net_rx_action+0x198/0x360 [ +0.003752] ? update_rq_clock+0x39/0x220 [ +0.004013] handle_softirqs+0xf1/0x340 [ +0.003840] ? sched_clock_cpu+0xf/0x1f0 [ +0.003925] __irq_exit_rcu+0xc2/0xe0 [ +0.003665] common_interrupt+0x85/0xa0 [ +0.003839] [ +0.002098] [ +0.002106] asm_common_interrupt+0x26/0x40 [ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690 Fix this by performing the missing unmapping of XDP queues from q_vectors and setting the XDP rings pointer back to NULL after all those queues are released. Also, add an immediate exit from the XDP callback in case of ring preparation failure.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38129", "url": "https://ubuntu.com/security/CVE-2025-38129", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool \t\t\t\tpage_pool_release \t\t\t\t page_pool_scrub \t\t\t\t page_pool_empty_ring \t\t\t\t ptr_ring_consume \t\t\t\t page_pool_return_page //release all page \t\t\t\t __page_pool_destroy \t\t\t\t free_percpu(pool->recycle_stats); \t\t\t\t free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38131", "url": "https://ubuntu.com/security/CVE-2025-38131", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() unload module // access to config_desc which freed // while unloading module. cscfg_csdev_enable_config To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38274", "url": "https://ubuntu.com/security/CVE-2025-38274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt using kunit_kzalloc() however it does not check if the allocation failed. It then passes sgt to sg_alloc_table(), which passes it to __sg_alloc_table(). This function calls memset() on sgt in an attempt to zero it out. If the allocation fails then sgt will be NULL and the memset will trigger a NULL pointer dereference. Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38134", "url": "https://ubuntu.com/security/CVE-2025-38134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() As demonstrated by the fix for update_port_device_state, commit 12783c0b9e2c (\"usb: core: Prevent null pointer dereference in update_port_device_state\"), usb_hub_to_struct_hub() can return NULL in certain scenarios, such as during hub driver unbind or teardown race conditions, even if the underlying usb_device structure exists. Plus, all other places that call usb_hub_to_struct_hub() in the same file do check for NULL return values. If usb_hub_to_struct_hub() returns NULL, the subsequent access to hub->ports[udev->portnum - 1] will cause a null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38135", "url": "https://ubuntu.com/security/CVE-2025-38135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38136", "url": "https://ubuntu.com/security/CVE-2025-38136", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_clock_ctrl() usbhs_bset() usbhs_write() iowrite16() <-- Register access before enabling clocks Since `iowrite16()` is performed without ensuring the required clocks are enabled, this can lead to access errors. To fix this, enable PM runtime early in the probe function and ensure clocks are acquired before register access, preventing crashes like the following on RZ/V2H: [13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP [13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 [13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 [13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) [13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] [13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] [13.321138] sp : ffff8000827e3850 [13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 [13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 [13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 [13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff [13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce [13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 [13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 [13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c [13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 [13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 [13.395574] Call trace: [13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) [13.403076] platform_probe+0x68/0xdc [13.406738] really_probe+0xbc/0x2c0 [13.410306] __driver_probe_device+0x78/0x120 [13.414653] driver_probe_device+0x3c/0x154 [13.418825] __driver_attach+0x90/0x1a0 [13.422647] bus_for_each_dev+0x7c/0xe0 [13.426470] driver_attach+0x24/0x30 [13.430032] bus_add_driver+0xe4/0x208 [13.433766] driver_register+0x68/0x130 [13.437587] __platform_driver_register+0x24/0x30 [13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] [13.448450] do_one_initcall+0x60/0x1d4 [13.452276] do_init_module+0x54/0x1f8 [13.456014] load_module+0x1754/0x1c98 [13.459750] init_module_from_file+0x88/0xcc [13.464004] __arm64_sys_finit_module+0x1c4/0x328 [13.468689] invoke_syscall+0x48/0x104 [13.472426] el0_svc_common.constprop.0+0xc0/0xe0 [13.477113] do_el0_svc+0x1c/0x28 [13.480415] el0_svc+0x30/0xcc [13.483460] el0t_64_sync_handler+0x10c/0x138 [13.487800] el0t_64_sync+0x198/0x19c [13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) [13.497522] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38138", "url": "https://ubuntu.com/security/CVE-2025-38138", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: Add NULL check in udma_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, udma_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38275", "url": "https://ubuntu.com/security/CVE-2025-38275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and lead to an invalid dereference. Fix the issue by checking if devm_ioremap() returns NULL. When it does, qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), ensuring safe and consistent error handling.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38141", "url": "https://ubuntu.com/security/CVE-2025-38141", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix dm_blk_report_zones If dm_get_live_table() returned NULL, dm_put_live_table() was never called. Also, it is possible that md->zone_revalidate_map will change while calling this function. Only read it once, so that we are always using the same value. Otherwise we might miss a call to dm_put_live_table(). Finally, while md->zone_revalidate_map is set and a process is calling blk_revalidate_disk_zones() to set up the zone append emulation resources, it is possible that another process, perhaps triggered by blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If blk_revalidate_disk_zones() fails, these resources can be freed while the other process is still using them, causing a use-after-free error. blk_revalidate_disk_zones() will only ever be called when initially setting up the zone append emulation resources, such as when setting up a zoned dm-crypt table for the first time. Further table swaps will not set md->zone_revalidate_map or call blk_revalidate_disk_zones(). However it must be called using the new table (referenced by md->zone_revalidate_map) and the new queue limits while the DM device is suspended. dm_blk_report_zones() needs some way to distinguish between a call from blk_revalidate_disk_zones(), which must be allowed to use md->zone_revalidate_map to access this not yet activated table, and all other calls to dm_blk_report_zones(), which should not be allowed while the device is suspended and cannot use md->zone_revalidate_map, since the zone resources might be freed by the process currently calling blk_revalidate_disk_zones(). Solve this by tracking the process that sets md->zone_revalidate_map in dm_revalidate_zones() and only allowing that process to make use of it in dm_blk_report_zones().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38142", "url": "https://ubuntu.com/security/CVE-2025-38142", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) check sensor index in read_string() Prevent a potential invalid memory access when the requested sensor is not found. find_ec_sensor_index() may return a negative value (e.g. -ENOENT), but its result was used without checking, which could lead to undefined behavior when passed to get_sensor_info(). Add a proper check to return -EINVAL if sensor_index is negative. Found by Linux Verification Center (linuxtesting.org) with SVACE. [groeck: Return error code returned from find_ec_sensor_index]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38277", "url": "https://ubuntu.com/security/CVE-2025-38277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user space or kernel crashes. This scenario can be triggered in edge cases such as misconfigured geometry, ECC engine misuse, or if ctx->steps is not validated after initialization. Initialize ret to zero before the loop to ensure correct and safe behavior regardless of the ctx->steps value. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38143", "url": "https://ubuntu.com/security/CVE-2025-38143", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently, wled_configure() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38312", "url": "https://ubuntu.com/security/CVE-2025-38312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38145", "url": "https://ubuntu.com/security/CVE-2025-38145", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. [arj: Fix Fixes: tag to use subject from 3772e5da4454]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38313", "url": "https://ubuntu.com/security/CVE-2025-38313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to one of its fields. In this circumstance, on the error path only the mc_bus should be freed. This commit introduces back the following checkpatch warning which is a false-positive. WARNING: kfree(NULL) is safe and this check is probably not required + if (mc_bus) + kfree(mc_bus);", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38415", "url": "https://ubuntu.com/security/CVE-2025-38415", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an \"UBSAN: shift-out-of-bounds in squashfs_bio_read\" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl(\"/dev/loop0\", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails. ---- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize); ---- sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64. This subsequently causes the UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') This commit adds a check for a 0 return by sb_min_blocksize().", "cve_priority": "medium", "cve_public_date": "2025-07-25 14:15:00 UTC" }, { "cve": "CVE-2025-38146", "url": "https://ubuntu.com/security/CVE-2025-38146", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead loop of MPLS parse The unexpected MPLS packet may not end with the bottom label stack. When there are many stacks, The label count value has wrapped around. A dead loop occurs, soft lockup/CPU stuck finally. stack backtrace: UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 index -1 is out of range for type '__be32 [3]' CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 Call Trace: show_stack+0x52/0x5c dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x36 __ubsan_handle_out_of_bounds.cold+0x44/0x49 key_extract_l3l4+0x82a/0x840 [openvswitch] ? kfree_skbmem+0x52/0xa0 key_extract+0x9c/0x2b0 [openvswitch] ovs_flow_key_extract+0x124/0x350 [openvswitch] ovs_vport_receive+0x61/0xd0 [openvswitch] ? kernel_init_free_pages.part.0+0x4a/0x70 ? get_page_from_freelist+0x353/0x540 netdev_port_receive+0xc4/0x180 [openvswitch] ? netdev_port_receive+0x180/0x180 [openvswitch] netdev_frame_hook+0x1f/0x40 [openvswitch] __netif_receive_skb_core.constprop.0+0x23a/0xf00 __netif_receive_skb_list_core+0xfa/0x240 netif_receive_skb_list_internal+0x18e/0x2a0 napi_complete_done+0x7a/0x1c0 bnxt_poll+0x155/0x1c0 [bnxt_en] __napi_poll+0x30/0x180 net_rx_action+0x126/0x280 ? bnxt_msix+0x67/0x80 [bnxt_en] handle_softirqs+0xda/0x2d0 irq_exit_rcu+0x96/0xc0 common_interrupt+0x8e/0xa0 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38147", "url": "https://ubuntu.com/security/CVE-2025-38147", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switches branches based on struct sockaddr.sa_family, which is passed from userspace. However, netlbl_conn_setattr() does not check if the address family matches the socket. The syzkaller must have called connect() for an IPv6 address on an IPv4 socket. We have a proper validation in tcp_v[46]_connect(), but security_socket_connect() is called in the earlier stage. Let's copy the validation to netlbl_conn_setattr(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 security_socket_connect+0x50/0xa0 security/security.c:4598 __sys_connect_file+0xa4/0x190 net/socket.c:2067 __sys_connect+0x12c/0x170 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38278", "url": "https://ubuntu.com/security/CVE-2025-38278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback This patch addresses below issues, 1. Active traffic on the leaf node must be stopped before its send queue is reassigned to the parent. This patch resolves the issue by marking the node as 'Inner'. 2. During a system reboot, the interface receives TC_HTB_LEAF_DEL and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues. In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue is reassigned to the parent, the current logic still attempts to update the real number of queues, leadning to below warnings New queues can't be registered after device unregistration. WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714 netdev_queue_update_kobjects+0x1e4/0x200", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38148", "url": "https://ubuntu.com/security/CVE-2025-38148", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: mscc: Fix memory leak when using one step timestamping Fix memory leak when running one-step timestamping. When running one-step sync timestamping, the HW is configured to insert the TX time into the frame, so there is no reason to keep the skb anymore. As in this case the HW will never generate an interrupt to say that the frame was timestamped, then the frame will never released. Fix this by freeing the frame in case of one-step timestamping.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38149", "url": "https://ubuntu.com/security/CVE-2025-38149", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phy_attach_direct() fails before calling device_link_add(), the code jumps to the \"error\" label and calls phy_detach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, device_link_del() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows. [ 24.702421] Call trace: [ 24.704856] device_link_put_kref+0x20/0x120 [ 24.709124] device_link_del+0x30/0x48 [ 24.712864] phy_detach+0x24/0x168 [ 24.716261] phy_attach_direct+0x168/0x3a4 [ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c [ 24.725140] phylink_of_phy_connect+0x1c/0x34 Therefore, phydev->devlink needs to be cleared when the device link is deleted.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38280", "url": "https://ubuntu.com/security/CVE-2025-38280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Modules linked in: CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 ... When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, but jit failed due to FAULT_INJECTION. As a result, incorrectly treats the program as valid, when the program runs it calls `__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38151", "url": "https://ubuntu.com/security/CVE-2025-38151", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work item currently in the work queue. However, it left a problem when queue_work fails (because the item is still pending in the work queue from a previous call). In this case, cma_id_put (which is called in the work handler) is therefore not called. This results in a userspace process hang (zombie process). Fix this by calling cma_id_put() if queue_work fails.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38153", "url": "https://ubuntu.com/security/CVE-2025-38153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error handling of usbnet read calls Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\"). For instance, usbnet_read_cmd() may read fewer than 'size' bytes, even if the caller expected the full amount, and aqc111_read_cmd() will not check its result properly. As [1] shows, this may lead to MAC address in aqc111_bind() being only partly initialized, triggering KMSAN warnings. Fix the issue by verifying that the number of bytes read is as expected and not less. [1] Partial syzbot report: BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 is_valid_ether_addr include/linux/etherdevice.h:208 [inline] usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x4d1/0xd90 drivers/base/dd.c:658 __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 ... Uninit was stored to memory at: dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 __dev_addr_set include/linux/netdevice.h:4874 [inline] eth_hw_addr_set include/linux/etherdevice.h:325 [inline] aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 ... Uninit was stored to memory at: ether_addr_copy include/linux/etherdevice.h:305 [inline] aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] ... Local variable buf.i created at: aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38154", "url": "https://ubuntu.com/security/CVE-2025-38154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. Race conditions: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops->release() -> sock_map_close() sk_socket->ops = NULL free(socket) sock->ops->sendmsg ^ panic here ''' The ref of psock become 0 after sock_map_close() executed. ''' void sock_map_close() { ... if (likely(psock)) { ... // !! here we remove psock and the ref of psock become 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; <=== Control jumps here via goto ... cancel_delayed_work_sync(&psock->work); <=== not executed sk_psock_put(sk, psock); ... } ''' Based on the fact that we already wait for the workqueue to finish in sock_map_close() if psock is held, we simply increase the psock reference count to avoid race conditions. With this patch, if the backlog thread is running, sock_map_close() will wait for the backlog thread to complete and cancel all pending work. If no backlog running, any pending work that hasn't started by then will fail when invoked by sk_psock_get(), as the psock reference count have been zeroed, and sk_psock_drop() will cancel all jobs via cancel_delayed_work_sync(). In summary, we require synchronization to coordinate the backlog thread and close() thread. The panic I catched: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... '''", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38315", "url": "https://ubuntu.com/security/CVE-2025-38315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38155", "url": "https://ubuntu.com/security/CVE-2025-38155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7915_mmio_wed_init().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38156", "url": "https://ubuntu.com/security/CVE-2025-38156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7996_mmio_wed_init()", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38282", "url": "https://ubuntu.com/security/CVE-2025-38282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak -- callers don't use it afterwards but it's important for proper pairing of kn->active counting. Assuming this mechanism is in place, the WARN check in kernfs_should_drain_open_files() is too sensitive -- it may transiently catch those (rightful) callers between kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen Ridong: \tkernfs_remove_by_name_ns\tkernfs_get_active // active=1 \t__kernfs_remove\t\t\t\t\t // active=0x80000002 \tkernfs_drain\t\t\t... \twait_event \t//waiting (active == 0x80000001) \t\t\t\t\tkernfs_break_active_protection \t\t\t\t\t// active = 0x80000001 \t// continue \t\t\t\t\tkernfs_unbreak_active_protection \t\t\t\t\t// active = 0x80000002 \t... \tkernfs_should_drain_open_files \t// warning occurs \t\t\t\t\tkernfs_put_active To avoid the false positives (mind panic_on_warn) remove the check altogether. (This is meant as quick fix, I think active reference break/unbreak may be simplified with larger rework.)", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38157", "url": "https://ubuntu.com/security/CVE-2025-38157", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38283", "url": "https://ubuntu.com/security/CVE-2025-38283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt to perform device data migration, the address of the migrated data will be NULL. The live migration recovery operation on the destination side will access a null address value, which will cause access errors. Therefore, live migration of VMs without added VF device drivers does not require device data migration. In addition, when the queue address data obtained by the destination is empty, device queue recovery processing will not be performed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38158", "url": "https://ubuntu.com/security/CVE-2025-38158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration and results in guest kernel-mode encryption services failure. Comparing the definition of hardware registers, we found that there was an error when the data read from the register was combined into an address. Therefore, the address combination sequence needs to be corrected. Even after fixing the above problem, we still have an issue where the Guest from an old kernel can get migrated to new kernel and may result in wrong data. In order to ensure that the address is correct after migration, if an old magic number is detected, the dma address needs to be updated.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38159", "url": "https://ubuntu.com/security/CVE-2025-38159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38285", "url": "https://ubuntu.com/security/CVE-2025-38285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 Modules linked in: CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:204 [inline] stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 Tracepoint like trace_mmap_lock_acquire_returned may cause nested call as the corner case show above, which will be resolved with more general method in the future. As a result, WARN_ON_ONCE will be triggered. As Alexei suggested, remove the WARN_ON_ONCE first.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38286", "url": "https://ubuntu.com/security/CVE-2025-38286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38160", "url": "https://ubuntu.com/security/CVE-2025-38160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, raspberrypi_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38161", "url": "https://ubuntu.com/security/CVE-2025-38161", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x148 lr : refcount_warn_saturate+0xf4/0x148 sp : ffff80008b81b7e0 x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 Call trace: refcount_warn_saturate+0xf4/0x148 mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] ib_destroy_wq_user+0x30/0xc0 [ib_core] uverbs_free_wq+0x28/0x58 [ib_uverbs] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] ib_uverbs_close+0x2c/0x100 [ib_uverbs] __fput+0xd8/0x2f0 __fput_sync+0x50/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall.constprop.0+0x74/0xd0 do_el0_svc+0x48/0xe8 el0_svc+0x44/0x1d0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x1a4/0x1a8", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38162", "url": "https://ubuntu.com/security/CVE-2025-38162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38288", "url": "https://ubuntu.com/security/CVE-2025-38288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels Correct kernel call trace when calling smp_processor_id() when called in preemptible kernels by using raw_smp_processor_id(). smp_processor_id() checks to see if preemption is disabled and if not, issue an error message followed by a call to dump_stack(). Brief example of call trace: kernel: check_preemption_disabled: 436 callbacks suppressed kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u1025:0/2354 kernel: caller is pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: CPU: 129 PID: 2354 Comm: kworker/u1025:0 kernel: ... kernel: Workqueue: writeback wb_workfn (flush-253:0) kernel: Call Trace: kernel: kernel: dump_stack_lvl+0x34/0x48 kernel: check_preemption_disabled+0xdd/0xe0 kernel: pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: ...", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38290", "url": "https://ubuntu.com/security/CVE-2025-38290", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the \"arvifs\" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head \"arvifs\", but the next of the list head \"arvifs\" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head \"arvifs\" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute normally. Call trace: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38292", "url": "https://ubuntu.com/security/CVE-2025-38292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38163", "url": "https://ubuntu.com/security/CVE-2025-38163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 notify_change+0xbca/0xe90 fs/attr.c:552 do_truncate+0x222/0x310 fs/open.c:65 handle_truncate fs/namei.c:3466 [inline] do_open fs/namei.c:3849 [inline] path_openat+0x2e4f/0x35d0 fs/namei.c:4004 do_filp_open+0x284/0x4e0 fs/namei.c:4031 do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 do_sys_open fs/open.c:1444 [inline] __do_sys_creat fs/open.c:1522 [inline] __se_sys_creat fs/open.c:1516 [inline] __x64_sys_creat+0x124/0x170 fs/open.c:1516 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 The reason is: in fuzzed image, sbi->total_valid_block_count is inconsistent w/ mapped blocks indexed by inode, so, we should not trigger panic for such case, instead, let's print log and set fsck flag.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38317", "url": "https://ubuntu.com/security/CVE-2025-38317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix buffer overflow in debugfs If the user tries to write more than 32 bytes then it results in memory corruption. Fortunately, this is debugfs so it's limited to root users.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38164", "url": "https://ubuntu.com/security/CVE-2025-38164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: zone: fix to avoid inconsistence in between SIT and SSA w/ below testcase, it will cause inconsistence in between SIT and SSA. create_null_blk 512 2 1024 1024 mkfs.f2fs -m /dev/nullb0 mount /dev/nullb0 /mnt/f2fs/ touch /mnt/f2fs/file f2fs_io pinfile set /mnt/f2fs/file fallocate -l 4GiB /mnt/f2fs/file F2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT CPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84 Tainted: [O]=OOT_MODULE Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 Call Trace: dump_stack_lvl+0xb3/0xd0 dump_stack+0x14/0x20 f2fs_handle_critical_error+0x18c/0x220 [f2fs] f2fs_stop_checkpoint+0x38/0x50 [f2fs] do_garbage_collect+0x674/0x6e0 [f2fs] f2fs_gc_range+0x12b/0x230 [f2fs] f2fs_allocate_pinning_section+0x5c/0x150 [f2fs] f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs] f2fs_fallocate+0x3c3/0x410 [f2fs] vfs_fallocate+0x15f/0x4b0 __x64_sys_fallocate+0x4a/0x80 x64_sys_call+0x15e8/0x1b80 do_syscall_64+0x68/0x130 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f9dba5197ca F2FS-fs (nullb0): Stopped filesystem due to reason: 4 The reason is f2fs_gc_range() may try to migrate block in curseg, however, its SSA block is not uptodate due to the last summary block data is still in cache of curseg. In this patch, we add a condition in f2fs_gc_range() to check whether section is opened or not, and skip block migration for opened section.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38165", "url": "https://ubuntu.com/security/CVE-2025-38165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix panic when calling skb_linearize The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events sk_psock_backlog ... [ 657.469610] [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? do_trap+0x1d0/0x270 [ 657.470118] ? pskb_expand_head+0x612/0xf40 [ 657.470376] ? pskb_expand_head+0x612/0xf40 [ 657.470620] ? do_error_trap+0xa3/0x170 [ 657.470846] ? pskb_expand_head+0x612/0xf40 [ 657.471092] ? handle_invalid_op+0x2c/0x40 [ 657.471335] ? pskb_expand_head+0x612/0xf40 [ 657.471579] ? exc_invalid_op+0x2d/0x40 [ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 [ 657.472052] ? pskb_expand_head+0xd1/0xf40 [ 657.472292] ? pskb_expand_head+0x612/0xf40 [ 657.472540] ? lock_acquire+0x18f/0x4e0 [ 657.472766] ? find_held_lock+0x2d/0x110 [ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 [ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 [ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 [ 657.473826] __pskb_pull_tail+0xfd/0x1d20 [ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 [ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 [ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 [ 657.476010] sk_psock_backlog+0x5cf/0xd70 [ 657.476637] process_one_work+0x858/0x1a20 ''' The panic originates from the assertion BUG_ON(skb_shared(skb)) in skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed. The \"--rx-strp 100000\" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. ''' sk_psock_backlog: sk_psock_handle_skb skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' sk_psock_skb_ingress____________ ↓ | | → sk_psock_skb_ingress_self | sk_psock_skb_ingress_enqueue sk_psock_verdict_apply_________________↑ skb_linearize ''' Note that for verdict_apply path, the skb_get operation is unnecessary so we add 'take_ref' param to control it's behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38166", "url": "https://ubuntu.com/security/CVE-2025-38166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov_iter_revert+0x178/0x180 [ 2172.946031] ? iov_iter_revert+0x178/0x180 [ 2172.946267] ? do_error_trap+0x7d/0x110 [ 2172.946499] ? iov_iter_revert+0x178/0x180 [ 2172.946736] ? exc_invalid_op+0x50/0x70 [ 2172.946961] ? iov_iter_revert+0x178/0x180 [ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 [ 2172.947446] ? iov_iter_revert+0x178/0x180 [ 2172.947683] ? iov_iter_revert+0x5c/0x180 [ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 [ 2172.948206] tls_sw_sendmsg+0x52/0x80 [ 2172.948420] ? inet_sendmsg+0x1f/0x70 [ 2172.948634] __sys_sendto+0x1cd/0x200 [ 2172.948848] ? find_held_lock+0x2b/0x80 [ 2172.949072] ? syscall_trace_enter+0x140/0x270 [ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 [ 2172.949595] ? find_held_lock+0x2b/0x80 [ 2172.949817] ? syscall_trace_enter+0x140/0x270 [ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 [ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 [ 2172.951036] __x64_sys_sendto+0x24/0x30 [ 2172.951382] do_syscall_64+0x90/0x170 ...... After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, e.g., when the BPF program executes bpf_msg_push_data(). If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, it will return -ENOSPC and attempt to roll back to the non-zero copy logic. However, during rollback, msg->msg_iter is reset, but since msg_pl->sg.size has been increased, subsequent executions will exceed the actual size of msg_iter. ''' iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); ''' The changes in this commit are based on the following considerations: 1. When cork_bytes is set, rolling back to non-zero copy logic is pointless and can directly go to zero-copy logic. 2. We can not calculate the correct number of bytes to revert msg_iter. Assume the original data is \"abcdefgh\" (8 bytes), and after 3 pushes by the BPF program, it becomes 11-byte data: \"abc?de?fgh?\". Then, we set cork_bytes to 6, which means the first 6 bytes have been processed, and the remaining 5 bytes \"?fgh?\" will be cached until the length meets the cork_bytes requirement. However, some data in \"?fgh?\" is not within 'sg->msg_iter' (but in msg_pl instead), especially the data \"?\" we pushed. So it doesn't seem as simple as just reverting through an offset of msg_iter. 3. For non-TLS sockets in tcp_bpf_sendmsg, when a \"cork\" situation occurs, the user-space send() doesn't return an error, and the returned length is the same as the input length parameter, even if some data is cached. Additionally, I saw that the current non-zero-copy logic for handling corking is written as: ''' line 1177 else if (ret != -EAGAIN) { \tif (ret == -ENOSPC) \t\tret = 0; \tgoto send_end; ''' So it's ok to just return 'copied' without error when a \"cork\" situation occurs.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38293", "url": "https://ubuntu.com/security/CVE-2025-38293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the \"arvifs\" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head \"arvifs\", but the next of the list head \"arvifs\" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath11k_mac_op_remove_interface(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head \"arvifs\" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath11k_mac_op_remove_interface() can execute normally. Call trace: __list_del_entry_valid_or_report+0xb8/0xd0 ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] drv_remove_interface+0x48/0x194 [mac80211] ieee80211_do_stop+0x6e0/0x844 [mac80211] ieee80211_stop+0x44/0x17c [mac80211] __dev_close_many+0xac/0x150 __dev_change_flags+0x194/0x234 dev_change_flags+0x24/0x6c devinet_ioctl+0x3a0/0x670 inet_ioctl+0x200/0x248 sock_do_ioctl+0x60/0x118 sock_ioctl+0x274/0x35c __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x114 ... Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38295", "url": "https://ubuntu.com/security/CVE-2025-38295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses smp_processor_id(), which assumes disabled preemption. This leads to kernel warnings during module loading because meson_ddr_pmu_create() can be called in a preemptible context. Following kernel warning and stack trace: [ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289 [ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38 [ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0 [ 31.745181] [ T2289] Tainted: [W]=WARN [ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT) [ 31.745188] [ T2289] Call trace: [ 31.745191] [ T2289] show_stack+0x28/0x40 (C) [ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198 [ 31.745205] [ T2289] dump_stack+0x20/0x50 [ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0 [ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38 [ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745246] [ T2289] platform_probe+0x98/0xe0 [ 31.745254] [ T2289] really_probe+0x144/0x3f8 [ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180 [ 31.745261] [ T2289] driver_probe_device+0x54/0x268 [ 31.745264] [ T2289] __driver_attach+0x11c/0x288 [ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160 [ 31.745274] [ T2289] driver_attach+0x34/0x50 [ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0 [ 31.745281] [ T2289] driver_register+0x78/0x120 [ 31.745285] [ T2289] __platform_driver_register+0x30/0x48 [ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745298] [ T2289] do_one_initcall+0x11c/0x438 [ 31.745303] [ T2289] do_init_module+0x68/0x228 [ 31.745311] [ T2289] load_module+0x118c/0x13a8 [ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390 [ 31.745320] [ T2289] invoke_syscall+0x74/0x108 [ 31.745326] [ T2289] el0_svc_common+0x90/0xf8 [ 31.745330] [ T2289] do_el0_svc+0x2c/0x48 [ 31.745333] [ T2289] el0_svc+0x60/0x150 [ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118 [ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0 Changes replaces smp_processor_id() with raw_smp_processor_id() to ensure safe CPU ID retrieval in preemptible contexts.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38167", "url": "https://ubuntu.com/security/CVE-2025-38167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle hdr_first_de() return value The hdr_first_de() function returns a pointer to a struct NTFS_DE. This pointer may be NULL. To handle the NULL error effectively, it is important to implement an error handler. This will help manage potential errors consistently. Additionally, error handling for the return value already exists at other points where this function is called. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38318", "url": "https://ubuntu.com/security/CVE-2025-38318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Fix missing platform_set_drvdata() Add missing platform_set_drvdata in arm_ni_probe(), otherwise calling platform_get_drvdata() in remove returns NULL.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38168", "url": "https://ubuntu.com/security/CVE-2025-38168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device, we need to properly roll back all previously registered perf PMUs in other clock domains of the same device. Otherwise, it can lead to kernel panics. Calling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374 arm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000 arm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16 list_add corruption: next->prev should be prev (fffffd01e9698a18), but was 0000000000000000. (next=ffff10001a0decc8). pstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : list_add_valid_or_report+0x7c/0xb8 lr : list_add_valid_or_report+0x7c/0xb8 Call trace: __list_add_valid_or_report+0x7c/0xb8 perf_pmu_register+0x22c/0x3a0 arm_ni_probe+0x554/0x70c [arm_ni] platform_probe+0x70/0xe8 really_probe+0xc6/0x4d8 driver_probe_device+0x48/0x170 __driver_attach+0x8e/0x1c0 bus_for_each_dev+0x64/0xf0 driver_add+0x138/0x260 bus_add_driver+0x68/0x138 __platform_driver_register+0x2c/0x40 arm_ni_init+0x14/0x2a [arm_ni] do_init_module+0x36/0x298 ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38169", "url": "https://ubuntu.com/security/CVE-2025-38169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP On system with SME, a thread's kernel FPSIMD state may be erroneously clobbered during a context switch immediately after that state is restored. Systems without SME are unaffected. If the CPU happens to be in streaming SVE mode before a context switch to a thread with kernel FPSIMD state, fpsimd_thread_switch() will restore the kernel FPSIMD state using fpsimd_load_kernel_state() while the CPU is still in streaming SVE mode. When fpsimd_thread_switch() subsequently calls fpsimd_flush_cpu_state(), this will execute an SMSTOP, causing an exit from streaming SVE mode. The exit from streaming SVE mode will cause the hardware to reset a number of FPSIMD/SVE/SME registers, clobbering the FPSIMD state. Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel FPSIMD state.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38170", "url": "https://ubuntu.com/security/CVE-2025-38170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38319", "url": "https://ubuntu.com/security/CVE-2025-38319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve vram_info, it returns NULL which is later dereferenced.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38297", "url": "https://ubuntu.com/security/CVE-2025-38297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix potential division-by-zero error in em_compute_costs() When the device is of a non-CPU type, table[i].performance won't be initialized in the previous em_init_performance(), resulting in division by zero when calculating costs in em_compute_costs(). Since the 'cost' algorithm is only used for EAS energy efficiency calculations and is currently not utilized by other device drivers, we should add the _is_cpu_device(dev) check to prevent this division-by-zero issue.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38298", "url": "https://ubuntu.com/security/CVE-2025-38298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: EDAC/skx_common: Fix general protection fault After loading i10nm_edac (which automatically loads skx_edac_common), if unload only i10nm_edac, then reload it and perform error injection testing, a general protection fault may occur: mce: [Hardware Error]: Machine check events logged Oops: general protection fault ... ... Workqueue: events mce_gen_pool_process RIP: 0010:string+0x53/0xe0 ... Call Trace: ? die_addr+0x37/0x90 ? exc_general_protection+0x1e7/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? string+0x53/0xe0 vsnprintf+0x23e/0x4c0 snprintf+0x4d/0x70 skx_adxl_decode+0x16a/0x330 [skx_edac_common] skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] skx_mce_check_error+0x17/0x20 [skx_edac_common] ... The issue arose was because the variable 'adxl_component_count' (inside skx_edac_common), which counts the ADXL components, was not reset. During the reloading of i10nm_edac, the count was incremented by the actual number of ADXL components again, resulting in a count that was double the real number of ADXL components. This led to an out-of-bounds reference to the ADXL component array, causing the general protection fault above. Fix this issue by resetting the 'adxl_component_count' in adxl_put(), which is called during the unloading of {skx,i10nm}_edac.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38299", "url": "https://ubuntu.com/security/CVE-2025-38299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null. Avoid a crash if the device tree is not assigning a codec to these links. [ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 1.181065] Mem abort info: [ 1.181420] ESR = 0x0000000096000004 [ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.182576] SET = 0, FnV = 0 [ 1.182964] EA = 0, S1PTW = 0 [ 1.183367] FSC = 0x04: level 0 translation fault [ 1.183983] Data abort info: [ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1.186439] [0000000000000000] user address but active_mm is swapper [ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 1.188029] Modules linked in: [ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85 [ 1.189515] Hardware name: Radxa NIO 12L (DT) [ 1.190065] Workqueue: events_unbound deferred_probe_work_func [ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1.191683] pc : __pi_strcmp+0x24/0x140 [ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0 [ 1.192854] sp : ffff800083473970 [ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002 [ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88 [ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8 [ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff [ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006 [ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374 [ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018 [ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 [ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d [ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000 [ 1.202236] Call trace: [ 1.202545] __pi_strcmp+0x24/0x140 (P) [ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8 [ 1.203644] platform_probe+0x70/0xe8 [ 1.204106] really_probe+0xc8/0x3a0 [ 1.204556] __driver_probe_device+0x84/0x160 [ 1.205104] driver_probe_device+0x44/0x130 [ 1.205630] __device_attach_driver+0xc4/0x170 [ 1.206189] bus_for_each_drv+0x8c/0xf8 [ 1.206672] __device_attach+0xa8/0x1c8 [ 1.207155] device_initial_probe+0x1c/0x30 [ 1.207681] bus_probe_device+0xb0/0xc0 [ 1.208165] deferred_probe_work_func+0xa4/0x100 [ 1.208747] process_one_work+0x158/0x3e0 [ 1.209254] worker_thread+0x2c4/0x3e8 [ 1.209727] kthread+0x134/0x1f0 [ 1.210136] ret_from_fork+0x10/0x20 [ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402) [ 1.211355] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38172", "url": "https://ubuntu.com/security/CVE-2025-38172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid using multiple devices with different type For multiple devices, both primary and extra devices should be the same type. `erofs_init_device` has already guaranteed that if the primary is a file-backed device, extra devices should also be regular files. However, if the primary is a block device while the extra device is a file-backed device, `erofs_init_device` will get an ENOTBLK, which is not treated as an error in `erofs_fc_get_tree`, and that leads to an UAF: erofs_fc_get_tree get_tree_bdev_flags(erofs_fc_fill_super) erofs_read_superblock erofs_init_device // sbi->dif0 is not inited yet, // return -ENOTBLK deactivate_locked_super free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filp_open() // sbi UAF So if -ENOTBLK is hitted in `erofs_init_device`, it means the primary device must be a block device, and the extra device is not a block device. The error can be converted to -EINVAL.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38173", "url": "https://ubuntu.com/security/CVE-2025-38173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38300", "url": "https://ubuntu.com/security/CVE-2025-38300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the \"theend_sgs\" error path, call dma unmap only if the corresponding dma map was successful. 2] If the dma_map_single() call for the IV fails, the device driver would try to free an invalid DMA memory address on the \"theend_iv\" path: ------------[ cut here ]------------ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 Modules linked in: skcipher_example(O+) CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT Tainted: [O]=OOT_MODULE Hardware name: OrangePi Zero2 (DT) pc : check_unmap+0x123c/0x1b90 lr : check_unmap+0x123c/0x1b90 ... Call trace: check_unmap+0x123c/0x1b90 (P) debug_dma_unmap_page+0xac/0xc0 dma_unmap_page_attrs+0x1f4/0x5fc sun8i_ce_cipher_do_one+0x1bd4/0x1f40 crypto_pump_work+0x334/0x6e0 kthread_worker_fn+0x21c/0x438 kthread+0x374/0x664 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- To fix this, check for !dma_mapping_error() before calling dma_unmap_single() on the \"theend_iv\" path.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38174", "url": "https://ubuntu.com/security/CVE-2025-38174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace: ? tb_cfg_request_dequeue+0x2d/0xa0 tb_cfg_request_work+0x33/0x80 worker_thread+0x386/0x8f0 kthread+0xed/0x110 ret_from_fork+0x38/0x50 ret_from_fork_asm+0x1b/0x30 The circumstances are unclear, however, the theory is that tb_cfg_request_work() can be scheduled twice for a request: first time via frame.callback from ring_work() and second time from tb_cfg_request(). Both times kworkers will execute tb_cfg_request_dequeue(), which results in double list_del() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122). Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE bit set.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38175", "url": "https://ubuntu.com/security/CVE-2025-38175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 (\"binderfs: fix use-after-free in binder_devices\") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed: ================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ================================================================== Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38176", "url": "https://ubuntu.com/security/CVE-2025-38176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in binderfs_evict_inode() Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699 CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: dump_stack_lvl+0x1c2/0x2a0 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 print_report+0x155/0x840 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 ? __phys_addr+0xba/0x170 ? binderfs_evict_inode+0x1de/0x2d0 kasan_report+0x147/0x180 ? binderfs_evict_inode+0x1de/0x2d0 binderfs_evict_inode+0x1de/0x2d0 ? __pfx_binderfs_evict_inode+0x10/0x10 evict+0x524/0x9f0 ? __pfx_lock_release+0x10/0x10 ? __pfx_evict+0x10/0x10 ? do_raw_spin_unlock+0x4d/0x210 ? _raw_spin_unlock+0x28/0x50 ? iput+0x697/0x9b0 __dentry_kill+0x209/0x660 ? shrink_kill+0x8d/0x2c0 shrink_kill+0xa9/0x2c0 shrink_dentry_list+0x2e0/0x5e0 shrink_dcache_parent+0xa2/0x2c0 ? __pfx_shrink_dcache_parent+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 do_one_tree+0x23/0xe0 shrink_dcache_for_umount+0xa0/0x170 generic_shutdown_super+0x67/0x390 kill_litter_super+0x76/0xb0 binderfs_kill_super+0x44/0x90 deactivate_locked_super+0xb9/0x130 cleanup_mnt+0x422/0x4c0 ? lockdep_hardirqs_on+0x9d/0x150 task_work_run+0x1d2/0x260 ? __pfx_task_work_run+0x10/0x10 resume_user_mode_work+0x52/0x60 syscall_exit_to_user_mode+0x9a/0x120 do_syscall_64+0x103/0x210 ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830 Allocated by task 1705: kasan_save_track+0x3e/0x80 __kasan_kmalloc+0x8f/0xa0 __kmalloc_cache_noprof+0x213/0x3e0 binderfs_binder_device_create+0x183/0xa80 binder_ctl_ioctl+0x138/0x190 __x64_sys_ioctl+0x120/0x1b0 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1705: kasan_save_track+0x3e/0x80 kasan_save_free_info+0x46/0x50 __kasan_slab_free+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 do_unlinkat+0x390/0x5b0 __x64_sys_unlink+0x47/0x50 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption. I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38265", "url": "https://ubuntu.com/security/CVE-2025-38265", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1 RIP: 0010:serial_base_ctrl_add+0x96/0x120 Call Trace: serial_core_register_port+0x1a0/0x580 ? __setup_irq+0x39c/0x660 ? __kmalloc_cache_noprof+0x111/0x310 jsm_uart_port_init+0xe8/0x180 [jsm] jsm_probe_one+0x1f4/0x410 [jsm] local_pci_probe+0x42/0x90 pci_device_probe+0x22f/0x270 really_probe+0xdb/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8c/0xe0 bus_add_driver+0x112/0x1f0 driver_register+0x72/0xd0 jsm_init_module+0x36/0xff0 [jsm] ? __pfx_jsm_init_module+0x10/0x10 [jsm] do_one_initcall+0x58/0x310 do_init_module+0x60/0x230 Tested with Digi Neo PCIe 8 port card.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38092", "url": "https://ubuntu.com/security/CVE-2025-38092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an invalid pointer. Use list_first_entry_or_null() to check if the list is empty.", "cve_priority": "medium", "cve_public_date": "2025-07-02 15:15:00 UTC" }, { "cve": "CVE-2025-38091", "url": "https://ubuntu.com/security/CVE-2025-38091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: check stream id dml21 wrapper to get plane_id [Why & How] Fix a false positive warning which occurs due to lack of correct checks when querying plane_id in DML21. This fixes the warning when performing a mode1 reset (cat /sys/kernel/debug/dri/1/amdgpu_gpu_recover): [ 35.751250] WARNING: CPU: 11 PID: 326 at /tmp/amd.PHpyAl7v/amd/amdgpu/../display/dc/dml2/dml2_dc_resource_mgmt.c:91 dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751434] Modules linked in: amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_ttm_helper ttm drm_display_helper cec rc_core i2c_algo_bit rfcomm qrtr cmac algif_hash algif_skcipher af_alg bnep amd_atl intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi snd_hda_intel edac_mce_amd snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_hda_core snd_hwdep snd_pcm kvm snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul polyval_clmulni polyval_generic btusb ghash_clmulni_intel sha256_ssse3 btrtl sha1_ssse3 snd_seq btintel aesni_intel btbcm btmtk snd_seq_device crypto_simd sunrpc cryptd bluetooth snd_timer ccp binfmt_misc rapl snd i2c_piix4 wmi_bmof gigabyte_wmi k10temp i2c_smbus soundcore gpio_amdpt mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igc ahci xhci_pci libahci xhci_pci_renesas video wmi [ 35.751501] CPU: 11 UID: 0 PID: 326 Comm: kworker/u64:9 Tainted: G OE 6.11.0-21-generic #21~24.04.1-Ubuntu [ 35.751504] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 35.751505] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F30 05/22/2024 [ 35.751506] Workqueue: amdgpu-reset-dev amdgpu_debugfs_reset_work [amdgpu] [ 35.751638] RIP: 0010:dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751794] Code: 6d 0c 00 00 8b 84 24 88 00 00 00 41 3b 44 9c 20 0f 84 fc 07 00 00 48 83 c3 01 48 83 fb 06 75 b3 4c 8b 64 24 68 4c 8b 6c 24 40 <0f> 0b b8 06 00 00 00 49 8b 94 24 a0 49 00 00 89 c3 83 f8 07 0f 87 [ 35.751796] RSP: 0018:ffffbfa3805d7680 EFLAGS: 00010246 [ 35.751798] RAX: 0000000000010000 RBX: 0000000000000006 RCX: 0000000000000000 [ 35.751799] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [ 35.751800] RBP: ffffbfa3805d78f0 R08: 0000000000000000 R09: 0000000000000000 [ 35.751801] R10: 0000000000000000 R11: 0000000000000000 R12: ffffbfa383249000 [ 35.751802] R13: ffffa0e68f280000 R14: ffffbfa383249658 R15: 0000000000000000 [ 35.751803] FS: 0000000000000000(0000) GS:ffffa0edbe580000(0000) knlGS:0000000000000000 [ 35.751804] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.751805] CR2: 00005d847ef96c58 CR3: 000000041de3e000 CR4: 0000000000f50ef0 [ 35.751806] PKRU: 55555554 [ 35.751807] Call Trace: [ 35.751810] [ 35.751816] ? show_regs+0x6c/0x80 [ 35.751820] ? __warn+0x88/0x140 [ 35.751822] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751964] ? report_bug+0x182/0x1b0 [ 35.751969] ? handle_bug+0x6e/0xb0 [ 35.751972] ? exc_invalid_op+0x18/0x80 [ 35.751974] ? asm_exc_invalid_op+0x1b/0x20 [ 35.751978] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.752117] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752256] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752260] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752400] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752403] ? math_pow+0x11/0xa0 [amdgpu] [ 35.752524] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752526] ? core_dcn4_mode_programming+0xe4d/0x20d0 [amdgpu] [ 35.752663] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752669] dml21_validate+0x3d4/0x980 [amdgpu] (cherry picked from commit f8ad62c0a93e5dd94243e10f1b742232e4d6411e)", "cve_priority": "medium", "cve_public_date": "2025-07-02 15:15:00 UTC" }, { "cve": "CVE-2025-38082", "url": "https://ubuntu.com/security/CVE-2025-38082", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max available space in \"simple_write_to_buffer\". Check that the input size does not exceed the buffer size. Write a zero termination afterwards.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38050", "url": "https://ubuntu.com/security/CVE-2025-38050", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38029", "url": "https://ubuntu.com/security/CVE-2025-38029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38076", "url": "https://ubuntu.com/security/CVE-2025-38076", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: alloc_tag: allocate percpu counters for module tags dynamically When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by free_module(). This will lead to UAF if the memory allocated by a module is accessed after module was unloaded. To fix this we allocate percpu counters for module allocation tags dynamically and we keep it alive for tags which are still in use after module unloading. This also removes the requirement of a larger PERCPU_MODULE_RESERVE when memory allocation profiling is enabled because percpu memory for counters does not need to be reserved anymore.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38051", "url": "https://ubuntu.com/security/CVE-2025-38051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38077", "url": "https://ubuntu.com/security/CVE-2025-38077", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38078", "url": "https://ubuntu.com/security/CVE-2025-38078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38003", "url": "https://ubuntu.com/security/CVE-2025-38003", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection.", "cve_priority": "medium", "cve_public_date": "2025-06-08 11:15:00 UTC" }, { "cve": "CVE-2025-38004", "url": "https://ubuntu.com/security/CVE-2025-38004", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too.", "cve_priority": "medium", "cve_public_date": "2025-06-08 11:15:00 UTC" }, { "cve": "CVE-2025-38031", "url": "https://ubuntu.com/security/CVE-2025-38031", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm \"cryptomgr_probe\", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38079", "url": "https://ubuntu.com/security/CVE-2025-38079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38052", "url": "https://ubuntu.com/security/CVE-2025-38052", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 Call Trace: kasan_report+0xd9/0x110 mm/kasan/report.c:601 tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 crypto_request_complete include/crypto/algapi.h:266 aead_request_complete include/crypto/internal/aead.h:85 cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772 crypto_request_complete include/crypto/algapi.h:266 cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 Allocated by task 8355: kzalloc_noprof include/linux/slab.h:778 tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466 tipc_init_net+0x2dd/0x430 net/tipc/core.c:72 ops_init+0xb9/0x650 net/core/net_namespace.c:139 setup_net+0x435/0xb40 net/core/net_namespace.c:343 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x419/0x970 kernel/fork.c:3323 __do_sys_unshare kernel/fork.c:3394 Freed by task 63: kfree+0x12a/0x3b0 mm/slub.c:4557 tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539 tipc_exit_net+0x8c/0x110 net/tipc/core.c:119 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done may still visit it in cryptd_queue_worker workqueue. I reproduce this issue by: ip netns add ns1 ip link add veth1 type veth peer name veth2 ip link set veth1 netns ns1 ip netns exec ns1 tipc bearer enable media eth dev veth1 ip netns exec ns1 tipc node set key this_is_a_master_key master ip netns exec ns1 tipc bearer disable media eth dev veth1 ip netns del ns1 The key of reproduction is that, simd_aead_encrypt is interrupted, leading to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is triggered, and the tipc_crypto tx will be visited. tipc_disc_timeout tipc_bearer_xmit_skb tipc_crypto_xmit tipc_aead_encrypt crypto_aead_encrypt // encrypt() simd_aead_encrypt // crypto_simd_usable() is false child = &ctx->cryptd_tfm->base; simd_aead_encrypt crypto_aead_encrypt // encrypt() cryptd_aead_encrypt_enqueue cryptd_aead_enqueue cryptd_enqueue_request // trigger cryptd_queue_worker queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work) Fix this by holding net reference count before encrypt.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38053", "url": "https://ubuntu.com/security/CVE-2025-38053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ...", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38032", "url": "https://ubuntu.com/security/CVE-2025-38032", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mr: consolidate the ipmr_can_free_table() checks. Guoyu Yin reported a splat in the ipmr netns cleanup path: WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_free_table net/ipv4/ipmr.c:440 [inline] WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Modules linked in: CPU: 2 UID: 0 PID: 14564 Comm: syz.4.838 Not tainted 6.14.0 #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ipmr_free_table net/ipv4/ipmr.c:440 [inline] RIP: 0010:ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Code: ff df 48 c1 ea 03 80 3c 02 00 75 7d 48 c7 83 60 05 00 00 00 00 00 00 5b 5d 41 5c 41 5d 41 5e e9 71 67 7f 00 e8 4c 2d 8a fd 90 <0f> 0b 90 eb 93 e8 41 2d 8a fd 0f b6 2d 80 54 ea 01 31 ff 89 ee e8 RSP: 0018:ffff888109547c58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888108c12dc0 RCX: ffffffff83e09868 RDX: ffff8881022b3300 RSI: ffffffff83e098d4 RDI: 0000000000000005 RBP: ffff888104288000 R08: 0000000000000000 R09: ffffed10211825c9 R10: 0000000000000001 R11: ffff88801816c4a0 R12: 0000000000000001 R13: ffff888108c13320 R14: ffff888108c12dc0 R15: fffffbfff0b74058 FS: 00007f84f39316c0(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f84f3930f98 CR3: 0000000113b56000 CR4: 0000000000350ef0 Call Trace: ipmr_net_exit_batch+0x50/0x90 net/ipv4/ipmr.c:3160 ops_exit_list+0x10c/0x160 net/core/net_namespace.c:177 setup_net+0x47d/0x8e0 net/core/net_namespace.c:394 copy_net_ns+0x25d/0x410 net/core/net_namespace.c:516 create_new_namespaces+0x3f6/0xaf0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc3/0x180 kernel/nsproxy.c:228 ksys_unshare+0x78d/0x9a0 kernel/fork.c:3342 __do_sys_unshare kernel/fork.c:3413 [inline] __se_sys_unshare kernel/fork.c:3411 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3411 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f84f532cc29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f84f3931038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f84f5615fa0 RCX: 00007f84f532cc29 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000400 RBP: 00007f84f53fba18 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f84f5615fa0 R15: 00007fff51c5f328 The running kernel has CONFIG_IP_MROUTE_MULTIPLE_TABLES disabled, and the sanity check for such build is still too loose. Address the issue consolidating the relevant sanity check in a single helper regardless of the kernel configuration. Also share it between the ipv4 and ipv6 code.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38054", "url": "https://ubuntu.com/security/CVE-2025-38054", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: Limit signal/freq counts in summary output functions The debugfs summary output could access uninitialized elements in the freq_in[] and signal_out[] arrays, causing NULL pointer dereferences and triggering a kernel Oops (page_fault_oops). This patch adds u8 fields (nr_freq_in, nr_signal_out) to track the number of initialized elements, with a maximum of 4 per array. The summary output functions are updated to respect these limits, preventing out-of-bounds access and ensuring safe array handling. Widen the label variables because the change confuses GCC about max length of the strings.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38055", "url": "https://ubuntu.com/security/CVE-2025-38055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes. The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway. Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38057", "url": "https://ubuntu.com/security/CVE-2025-38057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38058", "url": "https://ubuntu.com/security/CVE-2025-38058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38033", "url": "https://ubuntu.com/security/CVE-2025-38033", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Calling core::fmt::write() from rust code while FineIBT is enabled results in a kernel panic: [ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132! [ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G U O 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599 [ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE [ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0 ... [ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20 [ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 <66> 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7 [ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246 [ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 [ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88 [ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070 [ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8 [ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000 [ 4614.474473] ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10 [ 4614.484118] ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250 This happens because core::fmt::write() calls core::fmt::rt::Argument::fmt(), which currently has CFI disabled: library/core/src/fmt/rt.rs: 171 // FIXME: Transmuting formatter in new and indirectly branching to/calling 172 // it here is an explicit CFI violation. 173 #[allow(inline_no_sanitize)] 174 #[no_sanitize(cfi, kcfi)] 175 #[inline] 176 pub(super) unsafe fn fmt(&self, f: &mut Formatter<'_>) -> Result { This causes a Control Protection exception, because FineIBT has sealed off the original function's endbr64. This makes rust currently incompatible with FineIBT. Add a Kconfig dependency that prevents FineIBT from getting turned on by default if rust is enabled. [ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1], and thus we relaxed the condition with Rust >= 1.88. When `objtool` lands checking for this with e.g. [2], the plan is to ideally run that in upstream Rust's CI to prevent regressions early [3], since we do not control `core`'s source code. Alice tested the Rust PR backported to an older compiler. Peter would like that Rust provides a stable `core` which can be pulled into the kernel: \"Relying on that much out of tree code is 'unfortunate'\". - Miguel ] [ Reduced splat. - Miguel ]", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38059", "url": "https://ubuntu.com/security/CVE-2025-38059", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option \"rescue=idatacsums\" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38034", "url": "https://ubuntu.com/security/CVE-2025-38034", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable Perform some writeback operations. Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38035", "url": "https://ubuntu.com/security/CVE-2025-38035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: don't restore null sk_state_change queue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if the TCP connection isn't established when nvmet_tcp_set_queue_sock() is called then queue->state_change isn't set and sock->sk->sk_state_change isn't replaced. As such we don't need to restore sock->sk->sk_state_change if queue->state_change is NULL. This avoids NULL pointer dereferences such as this: [ 286.462026][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 286.462814][ C0] #PF: supervisor instruction fetch in kernel mode [ 286.463796][ C0] #PF: error_code(0x0010) - not-present page [ 286.464392][ C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0 [ 286.465086][ C0] Oops: Oops: 0010 [#1] SMP KASAN PTI [ 286.465559][ C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary) [ 286.466393][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 286.467147][ C0] RIP: 0010:0x0 [ 286.467420][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 286.467977][ C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246 [ 286.468425][ C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43 [ 286.469019][ C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100 [ 286.469545][ C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c [ 286.470072][ C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3 [ 286.470585][ C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268 [ 286.471070][ C0] FS: 00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000 [ 286.471644][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 286.472543][ C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0 [ 286.473500][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 286.474467][ C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 [ 286.475453][ C0] Call Trace: [ 286.476102][ C0] [ 286.476719][ C0] tcp_fin+0x2bb/0x440 [ 286.477429][ C0] tcp_data_queue+0x190f/0x4e60 [ 286.478174][ C0] ? __build_skb_around+0x234/0x330 [ 286.478940][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.479659][ C0] ? __pfx_tcp_data_queue+0x10/0x10 [ 286.480431][ C0] ? tcp_try_undo_loss+0x640/0x6c0 [ 286.481196][ C0] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 286.482046][ C0] ? kvm_clock_get_cycles+0x14/0x30 [ 286.482769][ C0] ? ktime_get+0x66/0x150 [ 286.483433][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.484146][ C0] tcp_rcv_established+0x6e4/0x2050 [ 286.484857][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.485523][ C0] ? ipv4_dst_check+0x160/0x2b0 [ 286.486203][ C0] ? __pfx_tcp_rcv_established+0x10/0x10 [ 286.486917][ C0] ? lock_release+0x217/0x2c0 [ 286.487595][ C0] tcp_v4_do_rcv+0x4d6/0x9b0 [ 286.488279][ C0] tcp_v4_rcv+0x2af8/0x3e30 [ 286.488904][ C0] ? raw_local_deliver+0x51b/0xad0 [ 286.489551][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.490198][ C0] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 286.490813][ C0] ? __pfx_raw_local_deliver+0x10/0x10 [ 286.491487][ C0] ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack] [ 286.492275][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.492900][ C0] ip_protocol_deliver_rcu+0x8f/0x370 [ 286.493579][ C0] ip_local_deliver_finish+0x297/0x420 [ 286.494268][ C0] ip_local_deliver+0x168/0x430 [ 286.494867][ C0] ? __pfx_ip_local_deliver+0x10/0x10 [ 286.495498][ C0] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 286.496204][ C0] ? ip_rcv_finish_core+0x19a/0x1f20 [ 286.496806][ C0] ? lock_release+0x217/0x2c0 [ 286.497414][ C0] ip_rcv+0x455/0x6e0 [ 286.497945][ C0] ? __pfx_ip_rcv+0x10/0x10 [ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38036", "url": "https://ubuntu.com/security/CVE-2025-38036", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/vf: Perform early GT MMIO initialization to read GMDID VFs need to communicate with the GuC to obtain the GMDID value and existing GuC functions used for that assume that the GT has it's MMIO members already setup. However, due to recent refactoring the gt->mmio is initialized later, and any attempt by the VF to use xe_mmio_read|write() from GuC functions will lead to NPD crash due to unset MMIO register address: [] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode [] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507 [] BUG: unable to handle page fault for address: 0000000000190240 Since we are already tweaking the id and type of the primary GT to mimic it's a Media GT before initializing the GuC communication, we can also call xe_gt_mmio_init() to perform early setup of the gt->mmio which will make those GuC functions work again.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38037", "url": "https://ubuntu.com/security/CVE-2025-38037", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vxlan: Annotate FDB data races The 'used' and 'updated' fields in the FDB entry structure can be accessed concurrently by multiple threads, leading to reports such as [1]. Can be reproduced using [2]. Suppress these reports by annotating these accesses using READ_ONCE() / WRITE_ONCE(). [1] BUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit write to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0: vxlan_xmit+0xb29/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff942604d263a8 of 8 bytes by task 287 on cpu 2: vxlan_xmit+0xadf/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000000fffbac6e -> 0x00000000fffbac6f Reported by Kernel Concurrency Sanitizer on: CPU: 2 UID: 0 PID: 287 Comm: mausezahn Not tainted 6.13.0-rc7-01544-gb4b270f11a02 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [2] #!/bin/bash set +H echo whitelist > /sys/kernel/debug/kcsan echo !vxlan_xmit > /sys/kernel/debug/kcsan ip link add name vx0 up type vxlan id 10010 dstport 4789 local 192.0.2.1 bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 198.51.100.1 taskset -c 0 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q & taskset -c 2 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38038", "url": "https://ubuntu.com/security/CVE-2025-38038", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost set_boost is a per-policy function call, hence a driver wide lock is unnecessary. Also this mutex_acquire can collide with the mutex_acquire from the mode-switch path in status_store(), which can lead to a deadlock. So, remove it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38039", "url": "https://ubuntu.com/security/CVE-2025-38039", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled When attempting to enable MQPRIO while HTB offload is already configured, the driver currently returns `-EINVAL` and triggers a `WARN_ON`, leading to an unnecessary call trace. Update the code to handle this case more gracefully by returning `-EOPNOTSUPP` instead, while also providing a helpful user message.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38080", "url": "https://ubuntu.com/security/CVE-2025-38080", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38060", "url": "https://ubuntu.com/security/CVE-2025-38060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->cur_state->loop_entry should always be NULL after pop_stack(). See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix. This change has some verification performance impact for selftests: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- ------------- arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%) And significant negative impact for sched_ext: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------ bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scx_qmap.bpf.o qmap_dispatch ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38040", "url": "https://ubuntu.com/security/CVE-2025-38040", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38061", "url": "https://ubuntu.com/security/CVE-2025-38061", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer).", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38062", "url": "https://ubuntu.com/security/CVE-2025-38062", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated. 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address. This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However, there is no locking at the irq layer that helps protect the lifetime. Today, this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel, as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached. Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the \"container\" after starting up. However, iommufd has improved this so that the iommu domain can be changed during VFIO operation. This potentially allows userspace to directly race VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()). This potentially causes both the cookie pointer and the unlocked call to iommu_get_domain_for_dev() on the MSI translation path to become UAFs. Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA address is already known during iommu_dma_prepare_msi() and cannot change. Thus, it can simply be stored as an integer in the MSI descriptor. The other UAF related to iommu_get_domain_for_dev() will be addressed in patch \"iommu: Make iommu_dma_prepare_msi() into a generic operation\" by using the IOMMU group mutex.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38041", "url": "https://ubuntu.com/security/CVE-2025-38041", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes The H616 manual does not state that the GPU PLL supports dynamic frequency configuration, so we must take extra care when changing the frequency. Currently any attempt to do device DVFS on the GPU lead to panfrost various ooops, and GPU hangs. The manual describes the algorithm for changing the PLL frequency, which the CPU PLL notifier code already support, so we reuse that to reparent the GPU clock to GPU1 clock during frequency changes.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38063", "url": "https://ubuntu.com/security/CVE-2025-38063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exists in upstream: crash> bt 2091206 PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: \"kworker/u260:0\" #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8 #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4 #2 [ffff800084a2f880] schedule at ffff800040bfa4b4 #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4 #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0 #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254 #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38 #8 [ffff800084a2fa60] generic_make_request at ffff800040570138 #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4 #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs] #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs] #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs] #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs] #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs] #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs] #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08 #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc #18 [ffff800084a2fe70] kthread at ffff800040118de4 After commit 2def2845cc33 (\"xfs: don't allow log IO to be throttled\"), the metadata submitted by xlog_write_iclog() should not be throttled. But due to the existence of the dm layer, throttling flush_bio indirectly causes the metadata bio to be throttled. Fix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes wbt_should_throttle() return false to avoid wbt_wait().", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38064", "url": "https://ubuntu.com/security/CVE-2025-38064", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio: break and reset virtio devices on device_shutdown() Hongyu reported a hang on kexec in a VM. QEMU reported invalid memory accesses during the hang. \tInvalid read at addr 0x102877002, size 2, region '(null)', reason: rejected \tInvalid write at addr 0x102877A44, size 2, region '(null)', reason: rejected \t... It was traced down to virtio-console. Kexec works fine if virtio-console is not in use. The issue is that virtio-console continues to write to the MMIO even after underlying virtio-pci device is reset. Additionally, Eric noticed that IOMMUs are reset before devices, if devices are not reset on shutdown they continue to poke at guest memory and get errors from the IOMMU. Some devices get wedged then. The problem can be solved by breaking all virtio devices on virtio bus shutdown, then resetting them.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38042", "url": "https://ubuntu.com/security/CVE-2025-38042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn The user of k3_udma_glue_reset_rx_chn() e.g. ti_am65_cpsw_nuss can run on multiple platforms having different DMA architectures. On some platforms there can be one FDQ for all flows in the RX channel while for others there is a separate FDQ for each flow in the RX channel. So far we have been relying on the skip_fdq argument of k3_udma_glue_reset_rx_chn(). Instead of relying on the user to provide this information, infer it based on DMA architecture during k3_udma_glue_request_rx_chn() and save it in an internal flag 'single_fdq'. Use that flag at k3_udma_glue_reset_rx_chn() to deicide if the FDQ needs to be cleared for every flow or just for flow 0. Fixes the below issue on ti_am65_cpsw_nuss driver on AM62-SK. > ip link set eth1 down > ip link set eth0 down > ethtool -L eth0 rx 8 > ip link set eth0 up > modprobe -r ti_am65_cpsw_nuss [ 103.045726] ------------[ cut here ]------------ [ 103.050505] k3_knav_desc_pool size 512000 != avail 64000 [ 103.050703] WARNING: CPU: 1 PID: 450 at drivers/net/ethernet/ti/k3-cppi-desc-pool.c:33 k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.068810] Modules linked in: ti_am65_cpsw_nuss(-) k3_cppi_desc_pool snd_soc_hdmi_codec crct10dif_ce snd_soc_simple_card snd_soc_simple_card_utils display_connector rtc_ti_k3 k3_j72xx_bandgap tidss drm_client_lib snd_soc_davinci_mcas p drm_dma_helper tps6598x phylink snd_soc_ti_udma rti_wdt drm_display_helper snd_soc_tlv320aic3x_i2c typec at24 phy_gmii_sel snd_soc_ti_edma snd_soc_tlv320aic3x sii902x snd_soc_ti_sdma sa2ul omap_mailbox drm_kms_helper authenc cfg80211 r fkill fuse drm drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [last unloaded: k3_cppi_desc_pool] [ 103.119950] CPU: 1 UID: 0 PID: 450 Comm: modprobe Not tainted 6.13.0-rc7-00001-g9c5e3435fa66 #1011 [ 103.119968] Hardware name: Texas Instruments AM625 SK (DT) [ 103.119974] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 103.119983] pc : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.148007] lr : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.154709] sp : ffff8000826ebbc0 [ 103.158015] x29: ffff8000826ebbc0 x28: ffff0000090b6300 x27: 0000000000000000 [ 103.165145] x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000019df6b0 [ 103.172271] x23: ffff0000019df6b8 x22: ffff0000019df410 x21: ffff8000826ebc88 [ 103.179397] x20: 000000000007d000 x19: ffff00000a3b3000 x18: 0000000000000000 [ 103.186522] x17: 0000000000000000 x16: 0000000000000000 x15: 000001e8c35e1cde [ 103.193647] x14: 0000000000000396 x13: 000000000000035c x12: 0000000000000000 [ 103.200772] x11: 000000000000003a x10: 00000000000009c0 x9 : ffff8000826eba20 [ 103.207897] x8 : ffff0000090b6d20 x7 : ffff00007728c180 x6 : ffff00007728c100 [ 103.215022] x5 : 0000000000000001 x4 : ffff000000508a50 x3 : ffff7ffff6146000 [ 103.222147] x2 : 0000000000000000 x1 : e300b4173ee6b200 x0 : 0000000000000000 [ 103.229274] Call trace: [ 103.231714] k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] (P) [ 103.238408] am65_cpsw_nuss_free_rx_chns+0x28/0x4c [ti_am65_cpsw_nuss] [ 103.244942] devm_action_release+0x14/0x20 [ 103.249040] release_nodes+0x3c/0x68 [ 103.252610] devres_release_all+0x8c/0xdc [ 103.256614] device_unbind_cleanup+0x18/0x60 [ 103.260876] device_release_driver_internal+0xf8/0x178 [ 103.266004] driver_detach+0x50/0x9c [ 103.269571] bus_remove_driver+0x6c/0xbc [ 103.273485] driver_unregister+0x30/0x60 [ 103.277401] platform_driver_unregister+0x14/0x20 [ 103.282096] am65_cpsw_nuss_driver_exit+0x18/0xff4 [ti_am65_cpsw_nuss] [ 103.288620] __arm64_sys_delete_module+0x17c/0x25c [ 103.293404] invoke_syscall+0x44/0x100 [ 103.297149] el0_svc_common.constprop.0+0xc0/0xe0 [ 103.301845] do_el0_svc+0x1c/0x28 [ 103.305155] el0_svc+0x28/0x98 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38043", "url": "https://ubuntu.com/security/CVE-2025-38043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38044", "url": "https://ubuntu.com/security/CVE-2025-38044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38065", "url": "https://ubuntu.com/security/CVE-2025-38065", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38066", "url": "https://ubuntu.com/security/CVE-2025-38066", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object. Reproduce steps: 1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata. cat <> cmeta.xml EOF dmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\" cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2 dmsetup remove cmeta 2. wipe the second array block of the mapping array to simulate data degradations. mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\ 2>/dev/null | hexdump -e '1/8 \"%u\\n\"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\ 2>/dev/null | hexdump -e '1/8 \"%u\\n\"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try bringing up the cache device. The resume is expected to fail due to the broken array block. dmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\" dmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\" dmsetup create corig --table \"0 524288 linear /dev/sdc 262144\" dmsetup create cache --notable dmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\" dmsetup resume cache 4. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings. dmsetup resume cache Kernel logs: (snip) ------------[ cut here ]------------ kernel BUG at drivers/md/dm-cache-policy-smq.c:752! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3 RIP: 0010:smq_load_mapping+0x3e5/0x570 Fix by disallowing resume operations for devices that failed the initial attempt.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38068", "url": "https://ubuntu.com/security/CVE-2025-38068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38069", "url": "https://ubuntu.com/security/CVE-2025-38069", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops Fix a kernel oops found while testing the stm32_pcie Endpoint driver with handling of PERST# deassertion: During EP initialization, pci_epf_test_alloc_space() allocates all BARs, which are further freed if epc_set_bar() fails (for instance, due to no free inbound window). However, when pci_epc_set_bar() fails, the error path: pci_epc_set_bar() -> pci_epf_free_space() does not clear the previous assignment to epf_test->reg[bar]. Then, if the host reboots, the PERST# deassertion restarts the BAR allocation sequence with the same allocation failure (no free inbound window), creating a double free situation since epf_test->reg[bar] was deallocated and is still non-NULL. Thus, make sure that pci_epf_alloc_space() and pci_epf_free_space() invocations are symmetric, and as such, set epf_test->reg[bar] to NULL when memory is freed. [kwilczynski: commit log]", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38045", "url": "https://ubuntu.com/security/CVE-2025-38045", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly. Now we implemented the dump split and do the FW reset only in the middle of the dump (rather than the FW killing itself on error.) As a result, some of the actions taken when applying the config will now crash the device, so we need to fix the order.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38070", "url": "https://ubuntu.com/security/CVE-2025-38070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: Add NULL check in sma1307_setting_loaded() All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added. This issue is found by our static analysis tool", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38071", "url": "https://ubuntu.com/security/CVE-2025-38071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_phys_free() to throw the first 4 MiB of physical memory to the wolves. At a minimum it should fail gracefully with a meaningful diagnostic, but in fact everything seems to work fine without the weird reserve allocation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38072", "url": "https://ubuntu.com/security/CVE-2025-38072", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38081", "url": "https://ubuntu.com/security/CVE-2025-38081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38047", "url": "https://ubuntu.com/security/CVE-2025-38047", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fred: Fix system hang during S4 resume with FRED enabled Upon a wakeup from S4, the restore kernel starts and initializes the FRED MSRs as needed from its perspective. It then loads a hibernation image, including the image kernel, and attempts to load image pages directly into their original page frames used before hibernation unless those frames are currently in use. Once all pages are moved to their original locations, it jumps to a \"trampoline\" page in the image kernel. At this point, the image kernel takes control, but the FRED MSRs still contain values set by the restore kernel, which may differ from those set by the image kernel before hibernation. Therefore, the image kernel must ensure the FRED MSRs have the same values as before hibernation. Since these values depend only on the location of the kernel text and data, they can be recomputed from scratch.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38073", "url": "https://ubuntu.com/security/CVE-2025-38073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case that set_blocksize can change i_blksize and the folio order in a manner that conflicts with a concurrent reader and causes a kernel crash. Specifically, let's say that udev-worker calls libblkid to detect the labels on a block device. The read call can create an order-0 folio to read the first 4096 bytes from the disk. But then udev is preempted. Next, someone tries to mount an 8k-sectorsize filesystem from the same block device. The filesystem calls set_blksize, which sets i_blksize to 8192 and the minimum folio order to 1. Now udev resumes, still holding the order-0 folio it allocated. It then tries to schedule a read bio and do_mpage_readahead tries to create bufferheads for the folio. Unfortunately, blocks_per_folio == 0 because the page size is 4096 but the blocksize is 8192 so no bufferheads are attached and the bh walk never sets bdev. We then submit the bio with a NULL block device and crash. Therefore, truncate the page cache after flushing but before updating i_blksize. However, that's not enough -- we also need to lock out file IO and page faults during the update. Take both the i_rwsem and the invalidate_lock in exclusive mode for invalidations, and in shared mode for read/write operations. I don't know if this is the correct fix, but xfs/259 found it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38048", "url": "https://ubuntu.com/security/CVE-2025-38048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38075", "url": "https://ubuntu.com/security/CVE-2025-38075", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod] call_timer_fn+0x58/0x1f0 run_timer_softirq+0x740/0x860 __do_softirq+0x16c/0x420 irq_exit+0x188/0x1c0 timer_interrupt+0x184/0x410 That is because nopin response timer may be re-started on nopin timer expiration. Stop nopin timer before stopping the nopin response timer to be sure that no one of them will be re-started.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2025-38056", "url": "https://ubuntu.com/security/CVE-2025-38056", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix UAF when reloading module hda_generic_machine_select() appends -idisp to the tplg filename by allocating a new string with devm_kasprintf(), then stores the string right back into the global variable snd_soc_acpi_intel_hda_machines. When the module is unloaded, this memory is freed, resulting in a global variable pointing to freed memory. Reloading the module then triggers a use-after-free: BUG: KFENCE: use-after-free read in string+0x48/0xe0 Use-after-free read at 0x00000000967e0109 (in kfence-#99): string+0x48/0xe0 vsnprintf+0x329/0x6e0 devm_kvasprintf+0x54/0xb0 devm_kasprintf+0x58/0x80 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic] sof_probe_work+0x7f/0x600 [snd_sof] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 kfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64 allocated by task 333 on cpu 8 at 17.798069s (130.453553s ago): devm_kmalloc+0x52/0x120 devm_kvasprintf+0x66/0xb0 devm_kasprintf+0x58/0x80 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic] sof_probe_work+0x7f/0x600 [snd_sof] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 freed by task 1543 on cpu 4 at 141.586686s (6.665010s ago): release_nodes+0x43/0xb0 devres_release_all+0x90/0xf0 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1c1/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x42/0xb0 __do_sys_delete_module+0x1d1/0x310 do_syscall_64+0x82/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it by copying the match array with devm_kmemdup_array() before we modify it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38008", "url": "https://ubuntu.com/security/CVE-2025-38008", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: fix race condition in unaccepted memory handling The page allocator tracks the number of zones that have unaccepted memory using static_branch_enc/dec() and uses that static branch in hot paths to determine if it needs to deal with unaccepted memory. Borislav and Thomas pointed out that the tracking is racy: operations on static_branch are not serialized against adding/removing unaccepted pages to/from the zone. Sanity checks inside static_branch machinery detects it: WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0 The comment around the WARN() explains the problem: \t/* \t * Warn about the '-1' case though; since that means a \t * decrement is concurrent with a first (0->1) increment. IOW \t * people are trying to disable something that wasn't yet fully \t * enabled. This suggests an ordering problem on the user side. \t */ The effect of this static_branch optimization is only visible on microbenchmark. Instead of adding more complexity around it, remove it altogether.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38014", "url": "https://ubuntu.com/security/CVE-2025-38014", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38015", "url": "https://ubuntu.com/security/CVE-2025-38015", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38005", "url": "https://ubuntu.com/security/CVE-2025-38005", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38009", "url": "https://ubuntu.com/security/CVE-2025-38009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b (\"net: warn if NAPI instance wasn't shut down\"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38010", "url": "https://ubuntu.com/security/CVE-2025-38010", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 (\"xhci: tegra: USB2 pad power controls\"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38011", "url": "https://ubuntu.com/security/CVE-2025-38011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38016", "url": "https://ubuntu.com/security/CVE-2025-38016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: bpf: abort dispatch if device destroyed The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages. The bug will be triggered if the conditions below are met: A) a device under the driver has some LEDs on B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver) If condition A is met, hidinput_led_worker() is always scheduled *after* hid_bpf_destroy_device(). hid_destroy_device ` hid_bpf_destroy_device ` cleanup_srcu_struct(&hdev->bpf.srcu) ` hid_remove_device ` ... ` led_classdev_unregister ` led_trigger_set(led_cdev, NULL) ` led_set_brightness(led_cdev, LED_OFF) ` ... ` input_inject_event ` input_event_dispose ` hidinput_input_event ` schedule_work(&hid->led_work) [hidinput_led_worker] This is fine when condition B is not met, where hidinput_led_worker() calls hid_ll_driver->request(). This is the case for most HID drivers, which implement it or use the generic one from usbhid. The driver itself or an underlying driver will then abort processing the request. Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads to the bug. hidinput_led_worker ` hid_hw_output_report ` dispatch_hid_bpf_output_report ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) The bug has existed since the introduction [2] of dispatch_hid_bpf_output_report(). However, the same bug also exists in dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect because of the lack of [1], but confirmed bpf.destroyed == 1) the bug against the commit (i.e., the Fixes:) introducing the function. This is because hidinput_led_worker() falls back to hid_hw_raw_request() when hid_ll_driver->output_report() is uninplemented (e.g., logitech- djreceiver). hidinput_led_worker ` hid_hw_output_report: -ENOSYS ` hid_hw_raw_request ` dispatch_hid_bpf_raw_requests ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) Fix the issue by returning early in the two mentioned functions if hid_bpf has been marked as destroyed. Though dispatch_hid_bpf_device_event() handles input events, and there is no evidence that it may be called after the destruction, the same check, as a safety net, is also added to it to maintain the consistency among all dispatch functions. The impact of the bug on other architectures is unclear. Even if it acts as a hidden failure, this is still dangerous because it corrupts whatever is on the address calculated by SRCU. Thus, CC'ing the stable list. [1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Use relative percpu offsets\") [2]: commit 9286675a2aed (\"HID: bpf: add HID-BPF hooks for hid_hw_output_report\")", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38012", "url": "https://ubuntu.com/security/CVE-2025-38012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator BPF programs may call next() and destroy() on BPF iterators even after new() returns an error value (e.g. bpf_for_each() macro ignores error returns from new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized state after an error return causing bpf_iter_scx_dsq_next() to dereference garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that next() and destroy() become noops.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38018", "url": "https://ubuntu.com/security/CVE-2025-38018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38019", "url": "https://ubuntu.com/security/CVE-2025-38019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP (Note that the neighbor is not marked with 'offload') When the driver is reloaded and the existing configuration is replayed, the driver does not perform the same check regarding existing neighbors and offloads the previously added one: # devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP If the neighbor is later deleted, the driver will ignore the notification (given the GRE net device is not its upper) and will therefore keep referencing freed memory, resulting in a use-after-free [1] when the net device is deleted: # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1 Fix by skipping neighbor replay if the net device for which the replay is performed is not our upper. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200 Read of size 8 at addr ffff888155b0e420 by task ip/2282 [...] Call Trace: dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6f/0x350 print_report+0x108/0x205 kasan_report+0xdf/0x110 mlxsw_sp_neigh_entry_update+0x1ea/0x200 mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 mlxsw_sp_rif_destroy+0x1e9/0x750 mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 notifier_call_chain+0xca/0x150 call_netdevice_notifiers_info+0x7f/0x100 unregister_netdevice_many_notify+0xc8c/0x1d90 rtnl_dellink+0x34e/0xa50 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38013", "url": "https://ubuntu.com/security/CVE-2025-38013", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the \"sizeof(void *)\" not matching the \"channels\" array type.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38002", "url": "https://ubuntu.com/security/CVE-2025-38002", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo() Not everything requires locking in there, which is why the 'has_lock' variable exists. But enough does that it's a bit unwieldy to manage. Wrap the whole thing in a ->uring_lock trylock, and just return with no output if we fail to grab it. The existing trylock() will already have greatly diminished utility/output for the failure case. This fixes an issue with reading the SQE fields, if the ring is being actively resized at the same time.", "cve_priority": "medium", "cve_public_date": "2025-06-06 14:15:00 UTC" }, { "cve": "CVE-2025-38027", "url": "https://ubuntu.com/security/CVE-2025-38027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\\xc0$\\xa5\\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38020", "url": "https://ubuntu.com/security/CVE-2025-38020", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38021", "url": "https://ubuntu.com/security/CVE-2025-38021", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check of pipe_ctx->plane_state for update_dchubp_dpp Similar to commit 6a057072ddd1 (\"drm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe\") that addresses a null pointer dereference on dcn20_update_dchubp_dpp. This is the same function hooked for update_dchubp_dpp in dcn401, with the same issue. Fix possible null pointer deference on dcn401_program_pipe too. (cherry picked from commit d8d47f739752227957d8efc0cb894761bfe1d879)", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38006", "url": "https://ubuntu.com/security/CVE-2025-38006", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox \"ip addr show\". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-37992", "url": "https://ubuntu.com/security/CVE-2025-37992", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines.", "cve_priority": "medium", "cve_public_date": "2025-05-26 15:15:00 UTC" }, { "cve": "CVE-2025-38022", "url": "https://ubuntu.com/security/CVE-2025-38022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent().", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38028", "url": "https://ubuntu.com/security/CVE-2025-38028", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS/localio: Fix a race in nfs_local_open_fh() Once the clp->cl_uuid.lock has been dropped, another CPU could come in and free the struct nfsd_file that was just added. To prevent that from happening, take the RCU read lock before dropping the spin lock.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38023", "url": "https://ubuntu.com/security/CVE-2025-38023", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38007", "url": "https://ubuntu.com/security/CVE-2025-38007", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38024", "url": "https://ubuntu.com/security/CVE-2025-38024", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38025", "url": "https://ubuntu.com/security/CVE-2025-38025", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7606: check for NULL before calling sw_mode_config() Check that the sw_mode_config function pointer is not NULL before calling it. Not all buses define this callback, which resulted in a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-37963", "url": "https://ubuntu.com/security/CVE-2025-37963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Support for eBPF programs loaded by unprivileged users is typically disabled. This means only cBPF programs need to be mitigated for BHB. In addition, only mitigate cBPF programs that were loaded by an unprivileged user. Privileged users can also load the same program via eBPF, making the mitigation pointless.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37948", "url": "https://ubuntu.com/security/CVE-2025-37948", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs A malicious BPF program may manipulate the branch history to influence what the hardware speculates will happen next. On exit from a BPF program, emit the BHB mititgation sequence. This is only applied for 'classic' cBPF programs that are loaded by seccomp.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37994", "url": "https://ubuntu.com/security/CVE-2025-37994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37967", "url": "https://ubuntu.com/security/CVE-2025-37967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix deadlock This patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock functions to the UCSI driver. ucsi_con_mutex_lock ensures the connector mutex is only locked if a connection is established and the partner pointer is valid. This resolves a deadlock scenario where ucsi_displayport_remove_partner holds con->mutex waiting for dp_altmode_work to complete while dp_altmode_work attempts to acquire it.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37950", "url": "https://ubuntu.com/security/CVE-2025-37950", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix panic in failed foilio allocation commit 7e119cff9d0a (\"ocfs2: convert w_pages to w_folios\") and commit 9a5e08652dc4b (\"ocfs2: use an array of folios instead of an array of pages\") save -ENOMEM in the folio array upon allocation failure and call the folio array free code. The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37995", "url": "https://ubuntu.com/security/CVE-2025-37995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37960", "url": "https://ubuntu.com/security/CVE-2025-37960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: memblock: Accept allocated memory before use in memblock_double_array() When increasing the array size in memblock_double_array() and the slab is not yet available, a call to memblock_find_in_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which can result in a crash when booting an SNP guest: RIP: 0010:memcpy_orig+0x68/0x130 Code: ... RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006 RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000 RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00 RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000 R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78 R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00 memblock_double_array+0xff/0x310 memblock_add_range+0x1fb/0x2f0 memblock_reserve+0x4f/0xa0 memblock_alloc_range_nid+0xac/0x130 memblock_alloc_internal+0x53/0xc0 memblock_alloc_try_nid+0x3d/0xa0 swiotlb_init_remap+0x149/0x2f0 mem_init+0xb/0xb0 mm_core_init+0x8f/0x350 start_kernel+0x17e/0x5d0 x86_64_start_reservations+0x14/0x30 x86_64_start_kernel+0x92/0xa0 secondary_startup_64_no_verify+0x194/0x19b Mitigate this by calling accept_memory() on the memory range returned before the slab is available. Prior to v6.12, the accept_memory() interface used a 'start' and 'end' parameter instead of 'start' and 'size', therefore the accept_memory() call must be adjusted to specify 'start + size' for 'end' when applying to kernels prior to v6.12.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37996", "url": "https://ubuntu.com/security/CVE-2025-37996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Commit fce886a60207 (\"KVM: arm64: Plumb the pKVM MMU in KVM\") made the initialization of the local memcache variable in user_mem_abort() conditional, leaving a codepath where it is used uninitialized via kvm_pgtable_stage2_map(). This can fail on any path that requires a stage-2 allocation without transition via a permission fault or dirty logging. Fix this by making sure that memcache is always valid.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37949", "url": "https://ubuntu.com/security/CVE-2025-37949", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xenbus: Use kref to track req lifetime Marek reported seeing a NULL pointer fault in the xenbus_thread callstack: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: e030:__wake_up_common+0x4c/0x180 Call Trace: __wake_up_common_lock+0x82/0xd0 process_msg+0x18e/0x2f0 xenbus_thread+0x165/0x1c0 process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems like it was xs_wake_up() in this case. It seems like req may have woken up the xs_wait_for_reply(), which kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed data. Linux Device Drivers 2nd edition states: \"Normally, a wake_up call can cause an immediate reschedule to happen, meaning that other processes might run before wake_up returns.\" ... which would match the behaviour observed. Change to keeping two krefs on each request. One for the caller, and one for xenbus_thread. Each will kref_put() when finished, and the last will free it. This use of kref matches the description in Documentation/core-api/kref.rst", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37954", "url": "https://ubuntu.com/security/CVE-2025-37954", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Avoid race in open_cached_dir with lease breaks A pre-existing valid cfid returned from find_or_create_cached_dir might race with a lease break, meaning open_cached_dir doesn't consider it valid, and thinks it's newly-constructed. This leaks a dentry reference if the allocation occurs before the queued lease break work runs. Avoid the race by extending holding the cfid_list_lock across find_or_create_cached_dir and when the result is checked.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37965", "url": "https://ubuntu.com/security/CVE-2025-37965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix invalid context error in dml helper [Why] \"BUG: sleeping function called from invalid context\" error. after: \"drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()\" The populate_dml_plane_cfg_from_plane_state() uses the GFP_KERNEL flag for memory allocation, which shouldn't be used in atomic contexts. The allocation is needed only for using another helper function get_scaler_data_for_plane(). [How] Modify helpers to pass a pointer to scaler_data within existing context, eliminating the need for dynamic memory allocation/deallocation and copying. (cherry picked from commit bd3e84bc98f81b44f2c43936bdadc3241d654259)", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37951", "url": "https://ubuntu.com/security/CVE-2025-37951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Add job to pending list if the reset was skipped When a CL/CSD job times out, we check if the GPU has made any progress since the last timeout. If so, instead of resetting the hardware, we skip the reset and let the timer get rearmed. This gives long-running jobs a chance to complete. However, when `timedout_job()` is called, the job in question is removed from the pending list, which means it won't be automatically freed through `free_job()`. Consequently, when we skip the reset and keep the job running, the job won't be freed when it finally completes. This situation leads to a memory leak, as exposed in [1] and [2]. Similarly to commit 704d3d60fec4 (\"drm/etnaviv: don't block scheduler when GPU is still active\"), this patch ensures the job is put back on the pending list when extending the timeout.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37968", "url": "https://ubuntu.com/security/CVE-2025-37968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37969", "url": "https://ubuntu.com/security/CVE-2025-37969", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Prevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37970", "url": "https://ubuntu.com/security/CVE-2025-37970", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Prevent st_lsm6dsx_read_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37966", "url": "https://ubuntu.com/security/CVE-2025-37966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL When userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not available, the kernel crashes: Oops - illegal instruction [#1] [snip] epc : set_tagged_addr_ctrl+0x112/0x15a ra : set_tagged_addr_ctrl+0x74/0x15a epc : ffffffff80011ace ra : ffffffff80011a30 sp : ffffffc60039be10 [snip] status: 0000000200000120 badaddr: 0000000010a79073 cause: 0000000000000002 set_tagged_addr_ctrl+0x112/0x15a __riscv_sys_prctl+0x352/0x73c do_trap_ecall_u+0x17c/0x20c andle_exception+0x150/0x15c Fix it by checking if Supm is available.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37957", "url": "https://ubuntu.com/security/CVE-2025-37957", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Previously, commit ed129ec9057f (\"KVM: x86: forcibly leave nested mode on vCPU reset\") addressed an issue where a triple fault occurring in nested mode could lead to use-after-free scenarios. However, the commit did not handle the analogous situation for System Management Mode (SMM). This omission results in triggering a WARN when KVM forces a vCPU INIT after SHUTDOWN interception while the vCPU is in SMM. This situation was reprodused using Syzkaller by: 1) Creating a KVM VM and vCPU 2) Sending a KVM_SMI ioctl to explicitly enter SMM 3) Executing invalid instructions causing consecutive exceptions and eventually a triple fault The issue manifests as follows: WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112 kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Modules linked in: CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted 6.1.130-syzkaller-00157-g164fe5dde9b6 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Call Trace: shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136 svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395 svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457 vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline] vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062 kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283 kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Architecturally, INIT is blocked when the CPU is in SMM, hence KVM's WARN() in kvm_vcpu_reset() to guard against KVM bugs, e.g. to detect improper emulation of INIT. SHUTDOWN on SVM is a weird edge case where KVM needs to do _something_ sane with the VMCB, since it's technically undefined, and INIT is the least awful choice given KVM's ABI. So, double down on stuffing INIT on SHUTDOWN, and force the vCPU out of SMM to avoid any weirdness (and the WARN). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [sean: massage changelog, make it clear this isn't architectural behavior]", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37964", "url": "https://ubuntu.com/security/CVE-2025-37964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Eliminate window where TLB flushes may be inadvertently skipped tl;dr: There is a window in the mm switching code where the new CR3 is set and the CPU should be getting TLB flushes for the new mm. But should_flush_tlb() has a bug and suppresses the flush. Fix it by widening the window where should_flush_tlb() sends an IPI. Long Version: === History === There were a few things leading up to this. First, updating mm_cpumask() was observed to be too expensive, so it was made lazier. But being lazy caused too many unnecessary IPIs to CPUs due to the now-lazy mm_cpumask(). So code was added to cull mm_cpumask() periodically[2]. But that culling was a bit too aggressive and skipped sending TLB flushes to CPUs that need them. So here we are again. === Problem === The too-aggressive code in should_flush_tlb() strikes in this window: \t// Turn on IPIs for this CPU/mm combination, but only \t// if should_flush_tlb() agrees: \tcpumask_set_cpu(cpu, mm_cpumask(next)); \tnext_tlb_gen = atomic64_read(&next->context.tlb_gen); \tchoose_new_asid(next, next_tlb_gen, &new_asid, &need_flush); \tload_new_mm_cr3(need_flush); \t// ^ After 'need_flush' is set to false, IPIs *MUST* \t// be sent to this CPU and not be ignored. this_cpu_write(cpu_tlbstate.loaded_mm, next); \t// ^ Not until this point does should_flush_tlb() \t// become true! should_flush_tlb() will suppress TLB flushes between load_new_mm_cr3() and writing to 'loaded_mm', which is a window where they should not be suppressed. Whoops. === Solution === Thankfully, the fuzzy \"just about to write CR3\" window is already marked with loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in should_flush_tlb() is sufficient to ensure that the CPU is targeted with an IPI. This will cause more TLB flush IPIs. But the window is relatively small and I do not expect this to cause any kind of measurable performance impact. Update the comment where LOADED_MM_SWITCHING is written since it grew yet another user. Peter Z also raised a concern that should_flush_tlb() might not observe 'loaded_mm' and 'is_lazy' in the same order that switch_mm_irqs_off() writes them. Add a barrier to ensure that they are observed in the order they are written.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37971", "url": "https://ubuntu.com/security/CVE-2025-37971", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: bcm2835-camera: Initialise dev in v4l2_dev Commit 42a2f6664e18 (\"staging: vc04_services: Move global g_state to vchiq_state\") changed mmal_init to pass dev->v4l2_dev.dev to vchiq_mmal_init, however nothing iniitialised dev->v4l2_dev, so we got a NULL pointer dereference. Set dev->v4l2_dev.dev during bcm2835_mmal_probe. The device pointer could be passed into v4l2_device_register to set it, however that also has other effects that would need additional changes.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37972", "url": "https://ubuntu.com/security/CVE-2025-37972", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: mtk-pmic-keys - fix possible null pointer dereference In mtk_pmic_keys_probe, the regs parameter is only set if the button is parsed in the device tree. However, on hardware where the button is left floating, that node will most likely be removed not to enable that input. In that case the code will try to dereference a null pointer. Let's use the regs struct instead as it is defined for all supported platforms. Note that it is ok setting the key reg even if that latter is disabled as the interrupt won't be enabled anyway.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37959", "url": "https://ubuntu.com/security/CVE-2025-37959", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be \"misused\" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows (1) the packet path from the host's XFRM layer to the container's XFRM layer where it's dropped and (2) the number of active skb extensions at each function. NETNS MARK IFACE TUPLE FUNC 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive .active_extensions = (__u8)2, [...] 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core .active_extensions = (__u8)2, [...] 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY) .active_extensions = (__u8)2, In this case, there are no XFRM policies in the container's network namespace so the drop is unexpected. When we decrypt the IPsec packet, the XFRM state used for decryption is set in the skb extensions. This information is preserved across the netns switch. When we reach the XFRM policy check in the container's netns, __xfrm_policy_check drops the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM policy can't be found that matches the (host-side) XFRM state used for decryption. This patch fixes this by scrubbing the packet when using bpf_redirect_peer, as is done on typical netns switches via veth devices except skb->mark and skb->tstamp are not zeroed.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37961", "url": "https://ubuntu.com/security/CVE-2025-37961", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 (\"ipvs: do not use random local source address for tunnels\") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4167 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline] __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef) Hardware name: Google Google Compute Engi ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37993", "url": "https://ubuntu.com/security/CVE-2025-37993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe The spin lock tx_handling_spinlock in struct m_can_classdev is not being initialized. This leads the following spinlock bad magic complaint from the kernel, eg. when trying to send CAN frames with cansend from can-utils: | BUG: spinlock bad magic on CPU#0, cansend/95 | lock: 0xff60000002ec1010, .magic: 00000000, .owner: /-1, .owner_cpu: 0 | CPU: 0 UID: 0 PID: 95 Comm: cansend Not tainted 6.15.0-rc3-00032-ga79be02bba5c #5 NONE | Hardware name: MachineWare SIM-V (DT) | Call Trace: | [] dump_backtrace+0x1c/0x24 | [] show_stack+0x28/0x34 | [] dump_stack_lvl+0x4a/0x68 | [] dump_stack+0x14/0x1c | [] spin_dump+0x62/0x6e | [] do_raw_spin_lock+0xd0/0x142 | [] _raw_spin_lock_irqsave+0x20/0x2c | [] m_can_start_xmit+0x90/0x34a | [] dev_hard_start_xmit+0xa6/0xee | [] sch_direct_xmit+0x114/0x292 | [] __dev_queue_xmit+0x3b0/0xaa8 | [] can_send+0xc6/0x242 | [] raw_sendmsg+0x1a8/0x36c | [] sock_write_iter+0x9a/0xee | [] vfs_write+0x184/0x3a6 | [] ksys_write+0xa0/0xc0 | [] __riscv_sys_write+0x14/0x1c | [] do_trap_ecall_u+0x168/0x212 | [] handle_exception+0x146/0x152 Initializing the spin lock in m_can_class_allocate_dev solves that problem.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37955", "url": "https://ubuntu.com/security/CVE-2025-37955", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() The selftests added to our CI by Bui Quang Minh recently reveals that there is a mem leak on the error path of virtnet_xsk_pool_enable(): unreferenced object 0xffff88800a68a000 (size 2048): comm \"xdp_helper\", pid 318, jiffies 4294692778 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): __kvmalloc_node_noprof+0x402/0x570 virtnet_xsk_pool_enable+0x293/0x6a0 (drivers/net/virtio_net.c:5882) xp_assign_dev+0x369/0x670 (net/xdp/xsk_buff_pool.c:226) xsk_bind+0x6a5/0x1ae0 __sys_bind+0x15e/0x230 __x64_sys_bind+0x72/0xb0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37962", "url": "https://ubuntu.com/security/CVE-2025-37962", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leak in parse_lease_state() The previous patch that added bounds check for create lease context introduced a memory leak. When the bounds check fails, the function returns NULL without freeing the previously allocated lease_ctx_info structure. This patch fixes the issue by adding kfree(lreq) before returning NULL in both boundary check cases.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37998", "url": "https://ubuntu.com/security/CVE-2025-37998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37952", "url": "https://ubuntu.com/security/CVE-2025-37952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix UAF in __close_file_table_ids A use-after-free is possible if one thread destroys the file via __ksmbd_close_fd while another thread holds a reference to it. The existing checks on fp->refcount are not sufficient to prevent this. The fix takes ft->lock around the section which removes the file from the file table. This prevents two threads acquiring the same file pointer via __close_file_table_ids, as well as the other functions which retrieve a file from the IDR and which already use this same lock.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37947", "url": "https://ubuntu.com/security/CVE-2025-37947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37956", "url": "https://ubuntu.com/security/CVE-2025-37956", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent rename with empty string Client can send empty newname string to ksmbd server. It will cause a kernel oops from d_alloc. This patch return the error when attempting to rename a file or directory with an empty new name string.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37973", "url": "https://ubuntu.com/security/CVE-2025-37973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37999", "url": "https://ubuntu.com/security/CVE-2025-37999", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() If bio_add_folio() fails (because it is full), erofs_fileio_scan_folio() needs to submit the I/O request via erofs_fileio_rq_submit() and allocate a new I/O request with an empty `struct bio`. Then it retries the bio_add_folio() call. However, at this point, erofs_onlinefolio_split() has already been called which increments `folio->private`; the retry will call erofs_onlinefolio_split() again, but there will never be a matching erofs_onlinefolio_end() call. This leaves the folio locked forever and all waiters will be stuck in folio_wait_bit_common(). This bug has been added by commit ce63cb62d794 (\"erofs: support unencoded inodes for fileio\"), but was practically unreachable because there was room for 256 folios in the `struct bio` - until commit 9f74ae8c9ac9 (\"erofs: shorten bvecs[] for file-backed mounts\") which reduced the array capacity to 16 folios. It was now trivial to trigger the bug by manually invoking readahead from userspace, e.g.: posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED); This should be fixed by invoking erofs_onlinefolio_split() only after bio_add_folio() has succeeded. This is safe: asynchronous completions invoking erofs_onlinefolio_end() will not unlock the folio because erofs_fileio_scan_folio() is still holding a reference to be released by erofs_onlinefolio_end() at the end.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2121653, 1786013, 2120454, 2111521, 2120233, 2116247, 2115478, 2118499, 2116175, 2119526, 2115393, 2115738, 2118965, 2112330, 2111231, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119039, 2119039, 2119039, 2119039, 2119039, 2119010, 2119010, 2119010, 2119010, 2115678, 2115678, 2115678, 2115678, 2115678, 2121449, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2117649, 1786013, 2083800, 2116072, 2115898, 2115068, 2114516, 2113990, 2115022, 2114697, 2115174, 2114450, 2114258, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2113992, 2117494, 2116061 ], "changes": [ { "cves": [ { "cve": "CVE-2025-38105", "url": "https://ubuntu.com/security/CVE-2025-38105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(), so that the timer can be killed properly. While we're at it, replace the existing timer_delete_sync() at the disconnect callback with timer_shutdown_sync(), too.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38114", "url": "https://ubuntu.com/security/CVE-2025-38114", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: e1000: Move cancel_work_sync to avoid deadlock Previously, e1000_down called cancel_work_sync for the e1000 reset task (via e1000_down_and_stop), which takes RTNL. As reported by users and syzbot, a deadlock is possible in the following scenario: CPU 0: - RTNL is held - e1000_close - e1000_down - cancel_work_sync (cancel / wait for e1000_reset_task()) CPU 1: - process_one_work - e1000_reset_task - take RTNL To remedy this, avoid calling cancel_work_sync from e1000_down (e1000_reset_task does nothing if the device is down anyway). Instead, call cancel_work_sync for e1000_reset_task when the device is being removed.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38116", "url": "https://ubuntu.com/security/CVE-2025-38116", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequent access to this notifier chain. Fixes the issue by calling ath12k_core_panic_notifier_unregister() in failure cases. Call trace: notifier_chain_register+0x4c/0x1f0 (P) atomic_notifier_chain_register+0x38/0x68 ath12k_core_init+0x50/0x4e8 [ath12k] ath12k_pci_probe+0x5f8/0xc28 [ath12k] pci_device_probe+0xbc/0x1a8 really_probe+0xc8/0x3a0 __driver_probe_device+0x84/0x1b0 driver_probe_device+0x44/0x130 __driver_attach+0xcc/0x208 bus_for_each_dev+0x84/0x100 driver_attach+0x2c/0x40 bus_add_driver+0x130/0x260 driver_register+0x70/0x138 __pci_register_driver+0x68/0x80 ath12k_pci_init+0x30/0x68 [ath12k] ath12k_init+0x28/0x78 [ath12k] Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38306", "url": "https://ubuntu.com/security/CVE-2025-38306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/fhandle.c: fix a race in call of has_locked_children() may_decode_fh() is calling has_locked_children() while holding no locks. That's an oopsable race... The rest of the callers are safe since they are holding namespace_sem and are guaranteed a positive refcount on the mount in question. Rename the current has_locked_children() to __has_locked_children(), make it static and switch the fs/namespace.c users to it. Make has_locked_children() a wrapper for __has_locked_children(), calling the latter under read_seqlock_excl(&mount_lock).", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38272", "url": "https://ubuntu.com/security/CVE-2025-38272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. If one of these PHYs are EEE capable, we may try to enable EEE for the MACs, which then hangs the system on access of the (non-existent) EEE registers. Fix this by checking if the switch actually supports EEE before attempting to configure it.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38311", "url": "https://ubuntu.com/security/CVE-2025-38311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock. That frees us from the error prone logic of try_locks. Thanks to netdev_lock() by Jakub it is now easy, and in most cases we were protected by it already - replace crit lock by netdev lock when it was not the case. Lockdep reports that we should cancel the work under crit_lock [splat1], and that was the scheme we have mostly followed since [1] by Slawomir. But when that is done we still got into deadlocks [splat2]. So instead we should look at the bigger problem, namely \"weird locking/scheduling\" of the iavf. The first step to fix that is to remove the crit lock. I will followup with a -next series that simplifies scheduling/tasks. Cancel the work without netdev lock (weird unlock+lock scheme), to fix the [splat2] (which would be totally ugly if we would kept the crit lock). Extend protected part of iavf_watchdog_task() to include scheduling more work. Note that the removed comment in iavf_reset_task() was misplaced, it belonged to inside of the removed if condition, so it's gone now. [splat1] - w/o this patch - The deadlock during VF removal: WARNING: possible circular locking dependency detected sh/3825 is trying to acquire lock: ((work_completion)(&(&adapter->watchdog_task)->work)){+.+.}-{0:0}, at: start_flush_work+0x1a1/0x470 but task is already holding lock: (&adapter->crit_lock){+.+.}-{4:4}, at: iavf_remove+0xd1/0x690 [iavf] which lock already depends on the new lock. [splat2] - when cancelling work under crit lock, w/o this series, \t see [2] for the band aid attempt WARNING: possible circular locking dependency detected sh/3550 is trying to acquire lock: ((wq_completion)iavf){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: (&dev->lock){+.+.}-{4:4}, at: iavf_remove+0xa6/0x6e0 [iavf] which lock already depends on the new lock. [1] fc2e6b3b132a (\"iavf: Rework mutexes for better synchronisation\") [2] https://github.com/pkitszel/linux/commit/52dddbfc2bb60294083f5711a158a", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38128", "url": "https://ubuntu.com/security/CVE-2025-38128", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands In 'mgmt_hci_cmd_sync()', check whether the size of parameters passed in 'struct mgmt_cp_hci_cmd_sync' matches the total size of the data (i.e. 'sizeof(struct mgmt_cp_hci_cmd_sync)' plus trailing bytes). Otherwise, large invalid 'params_len' will cause 'hci_cmd_sync_alloc()' to do 'skb_put_data()' from an area beyond the one actually passed to 'mgmt_hci_cmd_sync()'.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38130", "url": "https://ubuntu.com/security/CVE-2025-38130", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/connector: only call HDMI audio helper plugged cb if non-null On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb with NULL as the callback function and codec_dev, as seen in its hdmi_remove function. The HDMI audio helper then happily tries calling said null function pointer, and produces an Oops as a result. Fix this by only executing the callback if fn is non-null. This means the .plugged_cb and .plugged_cb_dev members still get appropriately cleared.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38132", "url": "https://ubuntu.com/security/CVE-2025-38132", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() cscfg_remove_owned_csdev_configs() // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) iterating config_csdev_list could be raced with config_csdev_list's entry delete. To resolve this race , hold csdev->cscfg_csdev_lock() while cscfg_remove_owned_csdev_configs()", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38137", "url": "https://ubuntu.com/security/CVE-2025-38137", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Cancel outstanding rescan work when unregistering It's possible to trigger use-after-free here by: (a) forcing rescan_work_func() to take a long time and (b) utilizing a pwrctrl driver that may be unloaded for some reason Cancel outstanding work to ensure it is finished before we allow our data structures to be cleaned up. [bhelgaas: tidy commit log]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38139", "url": "https://ubuntu.com/security/CVE-2025-38139", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfs: Fix oops in write-retry from mis-resetting the subreq iterator Fix the resetting of the subrequest iterator in netfs_retry_write_stream() to use the iterator-reset function as the iterator may have been shortened by a previous retry. In such a case, the amount of data to be written by the subrequest is not \"subreq->len\" but \"subreq->len - subreq->transferred\". Without this, KASAN may see an error in iov_iter_revert(): BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147 CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound netfs_write_collection_worker Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 iov_iter_revert lib/iov_iter.c:633 [inline] iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline] netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231 netfs_collect_write_results fs/netfs/write_collect.c:352 [inline] netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38140", "url": "https://ubuntu.com/security/CVE-2025-38140", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: limit swapping tables for devices with zone write plugs dm_revalidate_zones() only allowed new or previously unzoned devices to call blk_revalidate_disk_zones(). If the device was already zoned, disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones() returned without doing any work. This would make the zoned settings for the device not match the new table. If the device had zone write plug resources, it could run into errors like bdev_zone_is_seq() reading invalid memory because disk->conv_zones_bitmap was the wrong size. If the device doesn't have any zone write plug resources, calling blk_revalidate_disk_zones() will always correctly update device. If blk_revalidate_disk_zones() fails, it can still overwrite or clear the current disk->nr_zones value. In this case, DM must restore the previous value of disk->nr_zones, so that the zoned settings will continue to match the previous value that it fell back to. If the device already has zone write plug resources, blk_revalidate_disk_zones() will not correctly update them, if it is called for arbitrary zoned device changes. Since there is not much need for this ability, the easiest solution is to disallow any table reloads that change the zoned settings, for devices that already have zone plug resources. Specifically, if a device already has zone plug resources allocated, it can only switch to another zoned table that also emulates zone append. Also, it cannot change the device size or the zone size. A device can switch to an error target.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38279", "url": "https://ubuntu.com/security/CVE-2025-38279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Do not include stack ptr register in precision backtracking bookkeeping Yi Lai reported an issue ([1]) where the following warning appears in kernel dmesg: [ 60.643604] verifier backtracking bug [ 60.643635] WARNING: CPU: 10 PID: 2315 at kernel/bpf/verifier.c:4302 __mark_chain_precision+0x3a6c/0x3e10 [ 60.648428] Modules linked in: bpf_testmod(OE) [ 60.650471] CPU: 10 UID: 0 PID: 2315 Comm: test_progs Tainted: G OE 6.15.0-rc4-gef11287f8289-dirty #327 PREEMPT(full) [ 60.654385] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 60.656682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 60.660475] RIP: 0010:__mark_chain_precision+0x3a6c/0x3e10 [ 60.662814] Code: 5a 30 84 89 ea e8 c4 d9 01 00 80 3d 3e 7d d8 04 00 0f 85 60 fa ff ff c6 05 31 7d d8 04 01 48 c7 c7 00 58 30 84 e8 c4 06 a5 ff <0f> 0b e9 46 fa ff ff 48 ... [ 60.668720] RSP: 0018:ffff888116cc7298 EFLAGS: 00010246 [ 60.671075] RAX: 54d70e82dfd31900 RBX: ffff888115b65e20 RCX: 0000000000000000 [ 60.673659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 00000000ffffffff [ 60.676241] RBP: 0000000000000400 R08: ffff8881f6f23bd3 R09: 1ffff1103ede477a [ 60.678787] R10: dffffc0000000000 R11: ffffed103ede477b R12: ffff888115b60ae8 [ 60.681420] R13: 1ffff11022b6cbc4 R14: 00000000fffffff2 R15: 0000000000000001 [ 60.684030] FS: 00007fc2aedd80c0(0000) GS:ffff88826fa8a000(0000) knlGS:0000000000000000 [ 60.686837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 60.689027] CR2: 000056325369e000 CR3: 000000011088b002 CR4: 0000000000370ef0 [ 60.691623] Call Trace: [ 60.692821] [ 60.693960] ? __pfx_verbose+0x10/0x10 [ 60.695656] ? __pfx_disasm_kfunc_name+0x10/0x10 [ 60.697495] check_cond_jmp_op+0x16f7/0x39b0 [ 60.699237] do_check+0x58fa/0xab10 ... Further analysis shows the warning is at line 4302 as below: 4294 /* static subprog call instruction, which 4295 * means that we are exiting current subprog, 4296 * so only r1-r5 could be still requested as 4297 * precise, r0 and r6-r10 or any stack slot in 4298 * the current frame should be zero by now 4299 */ 4300 if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) { 4301 verbose(env, \"BUG regs %x\\n\", bt_reg_mask(bt)); 4302 WARN_ONCE(1, \"verifier backtracking bug\"); 4303 return -EFAULT; 4304 } With the below test (also in the next patch): __used __naked static void __bpf_jmp_r10(void) { \tasm volatile ( \t\"r2 = 2314885393468386424 ll;\" \t\"goto +0;\" \t\"if r2 <= r10 goto +3;\" \t\"if r1 >= -1835016 goto +0;\" \t\"if r2 <= 8 goto +0;\" \t\"if r3 <= 0 goto +0;\" \t\"exit;\" \t::: __clobber_all); } SEC(\"?raw_tp\") __naked void bpf_jmp_r10(void) { \tasm volatile ( \t\"r3 = 0 ll;\" \t\"call __bpf_jmp_r10;\" \t\"r0 = 0;\" \t\"exit;\" \t::: __clobber_all); } The following is the verifier failure log: 0: (18) r3 = 0x0 ; R3_w=0 2: (85) call pc+2 caller: R10=fp0 callee: frame1: R1=ctx() R3_w=0 R10=fp0 5: frame1: R1=ctx() R3_w=0 R10=fp0 ; asm volatile (\" \\ @ verifier_precision.c:184 5: (18) r2 = 0x20202000256c6c78 ; frame1: R2_w=0x20202000256c6c78 7: (05) goto pc+0 8: (bd) if r2 <= r10 goto pc+3 ; frame1: R2_w=0x20202000256c6c78 R10=fp0 9: (35) if r1 >= 0xffe3fff8 goto pc+0 ; frame1: R1=ctx() 10: (b5) if r2 <= 0x8 goto pc+0 mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1 mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0 mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3 mark_preci ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38314", "url": "https://ubuntu.com/security/CVE-2025-38314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Fix result size returned for the admin command completion The result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes larger than the actual result data size. This occurs because the result_sg_size field of the command is filled with the result length from virtqueue_get_buf(), which includes both the data size and an additional 8 bytes of status. This oversized result size causes two issues: 1. The state transferred to the destination includes 8 bytes of extra data at the end. 2. The allocated buffer in the kernel may be smaller than the returned size, leading to failures when reading beyond the allocated size. The commit fixes this by subtracting the status size from the result of virtqueue_get_buf(). This fix has been tested through live migrations with virtio-net, virtio-net-transitional, and virtio-blk devices.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38316", "url": "https://ubuntu.com/security/CVE-2025-38316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor() The function mt7996_set_monitor() dereferences phy before the NULL sanity check. Fix this to avoid NULL pointer dereference by moving the dereference after the check.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38281", "url": "https://ubuntu.com/security/CVE-2025-38281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt7996_thermal_init() is not checked. Add NULL check in mt7996_thermal_init(), to handle kernel NULL pointer dereference error.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38284", "url": "https://ubuntu.com/security/CVE-2025-38284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA. With NULL mmap address, kernel throws trace: BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38287", "url": "https://ubuntu.com/security/CVE-2025-38287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. The cm_id lock is not needed in this case, but a recent change re-used cm_free_priv_msg(), which asserts that the lock is held and WARNs if the cm_id's currently outstanding msg is different than the one being freed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38289", "url": "https://ubuntu.com/security/CVE-2025-38289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling. Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38291", "url": "https://ubuntu.com/security/CVE-2025-38291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace. Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery. Call Trace: dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k] ? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k] _raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_htc_send+0x178/0x390 [ath12k] ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k] ath12k_wmi_cmd_send+0x62/0x190 [ath12k] ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1 ath12k_mac_op_get_survey+0x2be/0x310 [ath12k] ieee80211_dump_survey+0x99/0x240 [mac80211] nl80211_dump_survey+0xe7/0x470 [cfg80211] ? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211] ? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 ____sys_sendmsg+0x1e4/0x260 ___sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38294", "url": "https://ubuntu.com/security/CVE-2025-38294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix NULL access in assign channel context handler Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid radio handle access by moving to the hardware debug logging helper function (ath12k_hw_warn). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38296", "url": "https://ubuntu.com/security/CVE-2025-38296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: platform_profile: Avoid initializing on non-ACPI platforms The platform profile driver is loaded even on platforms that do not have ACPI enabled. The initialization of the sysfs entries was recently moved from platform_profile_register() to the module init call, and those entries need acpi_kobj to be initialized which is not the case when ACPI is disabled. This results in the following warning: WARNING: CPU: 5 PID: 1 at fs/sysfs/group.c:131 internal_create_group+0xa22/0xdd8 Modules linked in: CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.15.0-rc7-dirty #6 PREEMPT Tainted: [W]=WARN Hardware name: riscv-virtio,qemu (DT) epc : internal_create_group+0xa22/0xdd8 ra : internal_create_group+0xa22/0xdd8 Call Trace: internal_create_group+0xa22/0xdd8 sysfs_create_group+0x22/0x2e platform_profile_init+0x74/0xb2 do_one_initcall+0x198/0xa9e kernel_init_freeable+0x6d8/0x780 kernel_init+0x28/0x24c ret_from_fork+0xe/0x18 Fix this by checking if ACPI is enabled before trying to create sysfs entries. [ rjw: Subject and changelog edits ]", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38100", "url": "https://ubuntu.com/security/CVE-2025-38100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38101", "url": "https://ubuntu.com/security/CVE-2025-38101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38267", "url": "https://ubuntu.com/security/CVE-2025-38267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that it should never have missed events. If it does, it triggers a WARN_ON_ONCE(). But there just happens to be one scenario where this can legitimately happen. That is on a commit_overrun. A commit overrun is when an interrupt preempts an event being written to the buffer and then the interrupt adds so many new events that it fills and wraps the buffer back to the commit. Any new events would then be dropped and be reported as \"missed_events\". In this case, the next page to read is the commit buffer and after the swap of the reader page, the reader page will be the commit buffer, but this time there will be missed events and this triggers the following warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace: ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90 irq event stamp: 5080 hardirqs last enabled at (5079): [] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [] __irq_exit_rcu+0x107/0x210 ---[ end trace 0000000000000000 ]--- The above was triggered by running on a kernel with both lockdep and KASAN as well as kmemleak enabled and executing the following command: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 With perf interjecting a lot of interrupts and trace-cmd enabling all events as well as function tracing, with lockdep, KASAN and kmemleak enabled, it could cause an interrupt preempting an event being written to add enough event ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38268", "url": "https://ubuntu.com/security/CVE-2025-38268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below: [110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20 [110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20 Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38102", "url": "https://ubuntu.com/security/CVE-2025-38102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace: follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]--- Digging into the source, context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow: cpu0\t\t\tcpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page \t\t\tvmci_host_do_set_notify \t\t\tvmci_ctx_unset_notify \t\t\tnotify_page = context->notify_page; \t\t\tif (notify_page) \t\t\tput_page(notify_page);\t// page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here To slove this, use local variable page to make notify_page can be seen after finish get_user_pages_fast.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38301", "url": "https://ubuntu.com/security/CVE-2025-38301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 (\"nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup\") changed the driver to expect the device pointer to be passed as the \"context\", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38352", "url": "https://ubuntu.com/security/CVE-2025-38352", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.", "cve_priority": "high", "cve_public_date": "2025-07-22 08:15:00 UTC" }, { "cve": "CVE-2025-38103", "url": "https://ubuntu.com/security/CVE-2025-38103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38302", "url": "https://ubuntu.com/security/CVE-2025-38302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work Bios queued up in the zone write plug have already gone through all all preparation in the submit_bio path, including the freeze protection. Submitting them through submit_bio_noacct_nocheck duplicates the work and can can cause deadlocks when freezing a queue with pending bio write plugs. Go straight to ->submit_bio or blk_mq_submit_bio to bypass the superfluous extra freeze protection and checks.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38106", "url": "https://ubuntu.com/security/CVE-2025-38106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xd0/0x670 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __io_uring_show_fdinfo+0x9fe/0x1790 ? ksys_read+0xf7/0x1c0 ? do_syscall_64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? __pfx___io_uring_show_fdinfo+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 ? mutex_trylock+0xcf/0x130 ? __pfx_mutex_trylock+0x10/0x10 ? __pfx_show_fd_locks+0x10/0x10 ? io_uring_show_fdinfo+0x57/0x80 io_uring_show_fdinfo+0x57/0x80 seq_show+0x38c/0x690 seq_read_iter+0x3f7/0x1180 ? inode_set_ctime_current+0x160/0x4b0 seq_read+0x271/0x3e0 ? __pfx_seq_read+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? __mark_inode_dirty+0x402/0x810 ? selinux_file_permission+0x368/0x500 ? file_update_time+0x10f/0x160 vfs_read+0x177/0xa40 ? __pfx___handle_mm_fault+0x10/0x10 ? __pfx_vfs_read+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfx_mutex_lock+0x10/0x10 ? fdget_pos+0x24d/0x4b0 ksys_read+0xf7/0x1c0 ? __pfx_ksys_read+0x10/0x10 ? do_user_addr_fault+0x43b/0x9c0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 298: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_node_noprof+0xe8/0x330 copy_process+0x376/0x5e00 create_io_thread+0xab/0xf0 io_sq_offload_create+0x9ed/0xf20 io_uring_setup+0x12b0/0x1cc0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 22: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0xc4/0x360 rcu_core+0x5ff/0x19f0 handle_softirqs+0x18c/0x530 run_ksoftirqd+0x20/0x30 smpboot_thread_fn+0x287/0x6c0 kthread+0x30d/0x630 ret_from_fork+0xef/0x1a0 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __call_rcu_common.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __cond_resched+0x4c/0x80 mutex_lock+0x5c/0xe0 io_uring_del_tctx_node+0xe1/0x2b0 io_uring_clean_tctx+0xb7/0x160 io_uring_cancel_generic+0x34e/0x760 do_exit+0x240/0x2350 do_group_exit+0xab/0x220 __x64_sys_exit_group+0x39/0x40 x64_sys_call+0x1243/0x1840 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980) which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre relase or exit of sq->thread. Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38269", "url": "https://ubuntu.com/security/CVE-2025-38269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38270", "url": "https://ubuntu.com/security/CVE-2025-38270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: drv: netdevsim: don't napi_complete() from netpoll netdevsim supports netpoll. Make sure we don't call napi_complete() from it, since it may not be scheduled. Breno reports hitting a warning in napi_complete_done(): WARNING: CPU: 14 PID: 104 at net/core/dev.c:6592 napi_complete_done+0x2cc/0x560 __napi_poll+0x2d8/0x3a0 handle_softirqs+0x1fe/0x710 This is presumably after netpoll stole the SCHED bit prematurely.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38107", "url": "https://ubuntu.com/security/CVE-2025-38107", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38108", "url": "https://ubuntu.com/security/CVE-2025-38108", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38109", "url": "https://ubuntu.com/security/CVE-2025-38109", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core] [] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core] [] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core] [] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core] [] mlx5_sriov_detach+0x40/0x50 [mlx5_core] [] mlx5_unload+0x40/0xc4 [mlx5_core] [] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core] [] mlx5_unload_one+0x3c/0x60 [mlx5_core] [] shutdown+0x7c/0xa4 [mlx5_core] [] pci_device_shutdown+0x3c/0xa0 [] device_shutdown+0x170/0x340 [] __do_sys_reboot+0x1f4/0x2a0 [] __arm64_sys_reboot+0x2c/0x40 [] invoke_syscall+0x78/0x100 [] el0_svc_common.constprop.0+0x54/0x184 [] do_el0_svc+0x30/0xac [] el0_svc+0x48/0x160 [] el0t_64_sync_handler+0xa4/0x12c [] el0t_64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38303", "url": "https://ubuntu.com/security/CVE-2025-38303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38304", "url": "https://ubuntu.com/security/CVE-2025-38304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38110", "url": "https://ubuntu.com/security/CVE-2025-38110", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38111", "url": "https://ubuntu.com/security/CVE-2025-38111", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38112", "url": "https://ubuntu.com/security/CVE-2025-38112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereference. Ensure the function pointer does not turn NULL after the check.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38113", "url": "https://ubuntu.com/security/CVE-2025-38113", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8 ... [ 0.403255] [] cppc_allow_fast_switch+0x6a/0xd4 ... Kernel panic - not syncing: Attempted to kill init! [ rjw: New subject ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38088", "url": "https://ubuntu.com/security/CVE-2025-38088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size.", "cve_priority": "medium", "cve_public_date": "2025-06-30 08:15:00 UTC" }, { "cve": "CVE-2025-38115", "url": "https://ubuntu.com/security/CVE-2025-38115", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K to-lb tso off # force qdisc to requeue gso_skb ip netns exec lb ethtool -K in-lb gro on # enable NAPI ip link set dev to-lb up ip -netns lb link set dev in-lb up ip addr add dev to-lb 192.168.20.1/24 ip -netns lb addr add dev in-lb 192.168.20.2/24 tc qdisc replace dev to-lb root sfq limit 100 ip netns exec lb netserver netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 &", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38414", "url": "https://ubuntu.com/security/CVE-2025-38414", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash on some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to register table to allow different definitions. Then correct the register address for WCN7850 to fix this issue. Note IPQ5332 is not affected as it is not PCIe based device. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "cve_priority": "medium", "cve_public_date": "2025-07-25 14:15:00 UTC" }, { "cve": "CVE-2025-38305", "url": "https://ubuntu.com/security/CVE-2025-38305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38117", "url": "https://ubuntu.com/security/CVE-2025-38117", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379 hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223 pending_find net/bluetooth/mgmt.c:947 [inline] remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445 hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x25c/0x378 net/socket.c:1131 new_sync_write fs/read_write.c:591 [inline] vfs_write+0x62c/0x97c fs/read_write.c:684 ksys_write+0x120/0x210 fs/read_write.c:736 __do_sys_write fs/read_write.c:747 [inline] __se_sys_write fs/read_write.c:744 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:744 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 7037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198 sk_alloc+0x44/0x3ac net/core/sock.c:2254 bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148 hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202 bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132 __sock_create+0x43c/0x91c net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0xd4/0x1c0 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1695 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6607: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38118", "url": "https://ubuntu.com/security/CVE-2025-38118", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38119", "url": "https://ubuntu.com/security/CVE-2025-38119", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has been called instead of before. Backtrace: __switch_to+0x174/0x338 __schedule+0x600/0x9e4 schedule+0x7c/0xe8 schedule_timeout+0xa4/0x1c8 io_schedule_timeout+0x48/0x70 wait_for_common_io+0xa8/0x160 //waiting on START_STOP wait_for_completion_io_timeout+0x10/0x20 blk_execute_rq+0xe4/0x1e4 scsi_execute_cmd+0x108/0x244 ufshcd_set_dev_pwr_mode+0xe8/0x250 __ufshcd_wl_resume+0x94/0x354 ufshcd_wl_runtime_resume+0x3c/0x174 scsi_runtime_resume+0x64/0xa4 rpm_resume+0x15c/0xa1c __pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing ufshcd_err_handler+0x1a0/0xd08 process_one_work+0x174/0x808 worker_thread+0x15c/0x490 kthread+0xf4/0x1ec ret_from_fork+0x10/0x20 [ bvanassche: rewrote patch description ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38307", "url": "https://ubuntu.com/security/CVE-2025-38307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element at index 0 ends with null-ptr-deref.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38310", "url": "https://ubuntu.com/security/CVE-2025-38310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38120", "url": "https://ubuntu.com/security/CVE-2025-38120", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38122", "url": "https://ubuntu.com/security/CVE-2025-38122", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fails. This improves robustness in low-memory scenarios.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38123", "url": "https://ubuntu.com/security/CVE-2025-38123", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix napi rx poll issue When driver handles the napi rx polling requests, the netdev might have been released by the dellink logic triggered by the disconnect operation on user plane. However, in the logic of processing skb in polling, an invalid netdev is still being used, which causes a panic. BUG: kernel NULL pointer dereference, address: 00000000000000f1 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:dev_gro_receive+0x3a/0x620 [...] Call Trace: ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)] ? dev_gro_receive+0x3a/0x620 napi_gro_receive+0xad/0x170 t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)] t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)] net_rx_action+0x103/0x470 irq_exit_rcu+0x13a/0x310 sysvec_apic_timer_interrupt+0x56/0x90 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38124", "url": "https://ubuntu.com/security/CVE-2025-38124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after pull from frag_list\") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38125", "url": "https://ubuntu.com/security/CVE-2025-38125", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38126", "url": "https://ubuntu.com/security/CVE-2025-38126", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38127", "url": "https://ubuntu.com/security/CVE-2025-38127", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: fix Tx scheduler error handling in XDP callback When the XDP program is loaded, the XDP callback adds new Tx queues. This means that the callback must update the Tx scheduler with the new queue number. In the event of a Tx scheduler failure, the XDP callback should also fail and roll back any changes previously made for XDP preparation. The previous implementation had a bug that not all changes made by the XDP callback were rolled back. This caused the crash with the following call trace: [ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5 [ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI [ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary) [ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 [ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice] [...] [ +0.002715] Call Trace: [ +0.002452] [ +0.002021] ? __die_body.cold+0x19/0x29 [ +0.003922] ? die_addr+0x3c/0x60 [ +0.003319] ? exc_general_protection+0x17c/0x400 [ +0.004707] ? asm_exc_general_protection+0x26/0x30 [ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice] [ +0.004835] ice_napi_poll+0x665/0x680 [ice] [ +0.004320] __napi_poll+0x28/0x190 [ +0.003500] net_rx_action+0x198/0x360 [ +0.003752] ? update_rq_clock+0x39/0x220 [ +0.004013] handle_softirqs+0xf1/0x340 [ +0.003840] ? sched_clock_cpu+0xf/0x1f0 [ +0.003925] __irq_exit_rcu+0xc2/0xe0 [ +0.003665] common_interrupt+0x85/0xa0 [ +0.003839] [ +0.002098] [ +0.002106] asm_common_interrupt+0x26/0x40 [ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690 Fix this by performing the missing unmapping of XDP queues from q_vectors and setting the XDP rings pointer back to NULL after all those queues are released. Also, add an immediate exit from the XDP callback in case of ring preparation failure.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38129", "url": "https://ubuntu.com/security/CVE-2025-38129", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool \t\t\t\tpage_pool_release \t\t\t\t page_pool_scrub \t\t\t\t page_pool_empty_ring \t\t\t\t ptr_ring_consume \t\t\t\t page_pool_return_page //release all page \t\t\t\t __page_pool_destroy \t\t\t\t free_percpu(pool->recycle_stats); \t\t\t\t free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38131", "url": "https://ubuntu.com/security/CVE-2025-38131", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() unload module // access to config_desc which freed // while unloading module. cscfg_csdev_enable_config To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38274", "url": "https://ubuntu.com/security/CVE-2025-38274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt using kunit_kzalloc() however it does not check if the allocation failed. It then passes sgt to sg_alloc_table(), which passes it to __sg_alloc_table(). This function calls memset() on sgt in an attempt to zero it out. If the allocation fails then sgt will be NULL and the memset will trigger a NULL pointer dereference. Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38134", "url": "https://ubuntu.com/security/CVE-2025-38134", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() As demonstrated by the fix for update_port_device_state, commit 12783c0b9e2c (\"usb: core: Prevent null pointer dereference in update_port_device_state\"), usb_hub_to_struct_hub() can return NULL in certain scenarios, such as during hub driver unbind or teardown race conditions, even if the underlying usb_device structure exists. Plus, all other places that call usb_hub_to_struct_hub() in the same file do check for NULL return values. If usb_hub_to_struct_hub() returns NULL, the subsequent access to hub->ports[udev->portnum - 1] will cause a null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38135", "url": "https://ubuntu.com/security/CVE-2025-38135", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38136", "url": "https://ubuntu.com/security/CVE-2025-38136", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_clock_ctrl() usbhs_bset() usbhs_write() iowrite16() <-- Register access before enabling clocks Since `iowrite16()` is performed without ensuring the required clocks are enabled, this can lead to access errors. To fix this, enable PM runtime early in the probe function and ensure clocks are acquired before register access, preventing crashes like the following on RZ/V2H: [13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP [13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 [13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 [13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) [13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] [13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] [13.321138] sp : ffff8000827e3850 [13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 [13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 [13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 [13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff [13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce [13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 [13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 [13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c [13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 [13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 [13.395574] Call trace: [13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) [13.403076] platform_probe+0x68/0xdc [13.406738] really_probe+0xbc/0x2c0 [13.410306] __driver_probe_device+0x78/0x120 [13.414653] driver_probe_device+0x3c/0x154 [13.418825] __driver_attach+0x90/0x1a0 [13.422647] bus_for_each_dev+0x7c/0xe0 [13.426470] driver_attach+0x24/0x30 [13.430032] bus_add_driver+0xe4/0x208 [13.433766] driver_register+0x68/0x130 [13.437587] __platform_driver_register+0x24/0x30 [13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] [13.448450] do_one_initcall+0x60/0x1d4 [13.452276] do_init_module+0x54/0x1f8 [13.456014] load_module+0x1754/0x1c98 [13.459750] init_module_from_file+0x88/0xcc [13.464004] __arm64_sys_finit_module+0x1c4/0x328 [13.468689] invoke_syscall+0x48/0x104 [13.472426] el0_svc_common.constprop.0+0xc0/0xe0 [13.477113] do_el0_svc+0x1c/0x28 [13.480415] el0_svc+0x30/0xcc [13.483460] el0t_64_sync_handler+0x10c/0x138 [13.487800] el0t_64_sync+0x198/0x19c [13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) [13.497522] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38138", "url": "https://ubuntu.com/security/CVE-2025-38138", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: Add NULL check in udma_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, udma_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38275", "url": "https://ubuntu.com/security/CVE-2025-38275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and lead to an invalid dereference. Fix the issue by checking if devm_ioremap() returns NULL. When it does, qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), ensuring safe and consistent error handling.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38141", "url": "https://ubuntu.com/security/CVE-2025-38141", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix dm_blk_report_zones If dm_get_live_table() returned NULL, dm_put_live_table() was never called. Also, it is possible that md->zone_revalidate_map will change while calling this function. Only read it once, so that we are always using the same value. Otherwise we might miss a call to dm_put_live_table(). Finally, while md->zone_revalidate_map is set and a process is calling blk_revalidate_disk_zones() to set up the zone append emulation resources, it is possible that another process, perhaps triggered by blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If blk_revalidate_disk_zones() fails, these resources can be freed while the other process is still using them, causing a use-after-free error. blk_revalidate_disk_zones() will only ever be called when initially setting up the zone append emulation resources, such as when setting up a zoned dm-crypt table for the first time. Further table swaps will not set md->zone_revalidate_map or call blk_revalidate_disk_zones(). However it must be called using the new table (referenced by md->zone_revalidate_map) and the new queue limits while the DM device is suspended. dm_blk_report_zones() needs some way to distinguish between a call from blk_revalidate_disk_zones(), which must be allowed to use md->zone_revalidate_map to access this not yet activated table, and all other calls to dm_blk_report_zones(), which should not be allowed while the device is suspended and cannot use md->zone_revalidate_map, since the zone resources might be freed by the process currently calling blk_revalidate_disk_zones(). Solve this by tracking the process that sets md->zone_revalidate_map in dm_revalidate_zones() and only allowing that process to make use of it in dm_blk_report_zones().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38142", "url": "https://ubuntu.com/security/CVE-2025-38142", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) check sensor index in read_string() Prevent a potential invalid memory access when the requested sensor is not found. find_ec_sensor_index() may return a negative value (e.g. -ENOENT), but its result was used without checking, which could lead to undefined behavior when passed to get_sensor_info(). Add a proper check to return -EINVAL if sensor_index is negative. Found by Linux Verification Center (linuxtesting.org) with SVACE. [groeck: Return error code returned from find_ec_sensor_index]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38277", "url": "https://ubuntu.com/security/CVE-2025-38277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user space or kernel crashes. This scenario can be triggered in edge cases such as misconfigured geometry, ECC engine misuse, or if ctx->steps is not validated after initialization. Initialize ret to zero before the loop to ensure correct and safe behavior regardless of the ctx->steps value. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38143", "url": "https://ubuntu.com/security/CVE-2025-38143", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently, wled_configure() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38312", "url": "https://ubuntu.com/security/CVE-2025-38312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38145", "url": "https://ubuntu.com/security/CVE-2025-38145", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. [arj: Fix Fixes: tag to use subject from 3772e5da4454]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38313", "url": "https://ubuntu.com/security/CVE-2025-38313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to one of its fields. In this circumstance, on the error path only the mc_bus should be freed. This commit introduces back the following checkpatch warning which is a false-positive. WARNING: kfree(NULL) is safe and this check is probably not required + if (mc_bus) + kfree(mc_bus);", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38415", "url": "https://ubuntu.com/security/CVE-2025-38415", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an \"UBSAN: shift-out-of-bounds in squashfs_bio_read\" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl(\"/dev/loop0\", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails. ---- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize); ---- sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64. This subsequently causes the UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') This commit adds a check for a 0 return by sb_min_blocksize().", "cve_priority": "medium", "cve_public_date": "2025-07-25 14:15:00 UTC" }, { "cve": "CVE-2025-38146", "url": "https://ubuntu.com/security/CVE-2025-38146", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead loop of MPLS parse The unexpected MPLS packet may not end with the bottom label stack. When there are many stacks, The label count value has wrapped around. A dead loop occurs, soft lockup/CPU stuck finally. stack backtrace: UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 index -1 is out of range for type '__be32 [3]' CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 Call Trace: show_stack+0x52/0x5c dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x36 __ubsan_handle_out_of_bounds.cold+0x44/0x49 key_extract_l3l4+0x82a/0x840 [openvswitch] ? kfree_skbmem+0x52/0xa0 key_extract+0x9c/0x2b0 [openvswitch] ovs_flow_key_extract+0x124/0x350 [openvswitch] ovs_vport_receive+0x61/0xd0 [openvswitch] ? kernel_init_free_pages.part.0+0x4a/0x70 ? get_page_from_freelist+0x353/0x540 netdev_port_receive+0xc4/0x180 [openvswitch] ? netdev_port_receive+0x180/0x180 [openvswitch] netdev_frame_hook+0x1f/0x40 [openvswitch] __netif_receive_skb_core.constprop.0+0x23a/0xf00 __netif_receive_skb_list_core+0xfa/0x240 netif_receive_skb_list_internal+0x18e/0x2a0 napi_complete_done+0x7a/0x1c0 bnxt_poll+0x155/0x1c0 [bnxt_en] __napi_poll+0x30/0x180 net_rx_action+0x126/0x280 ? bnxt_msix+0x67/0x80 [bnxt_en] handle_softirqs+0xda/0x2d0 irq_exit_rcu+0x96/0xc0 common_interrupt+0x8e/0xa0 ", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38147", "url": "https://ubuntu.com/security/CVE-2025-38147", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switches branches based on struct sockaddr.sa_family, which is passed from userspace. However, netlbl_conn_setattr() does not check if the address family matches the socket. The syzkaller must have called connect() for an IPv6 address on an IPv4 socket. We have a proper validation in tcp_v[46]_connect(), but security_socket_connect() is called in the earlier stage. Let's copy the validation to netlbl_conn_setattr(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 security_socket_connect+0x50/0xa0 security/security.c:4598 __sys_connect_file+0xa4/0x190 net/socket.c:2067 __sys_connect+0x12c/0x170 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38278", "url": "https://ubuntu.com/security/CVE-2025-38278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback This patch addresses below issues, 1. Active traffic on the leaf node must be stopped before its send queue is reassigned to the parent. This patch resolves the issue by marking the node as 'Inner'. 2. During a system reboot, the interface receives TC_HTB_LEAF_DEL and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues. In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue is reassigned to the parent, the current logic still attempts to update the real number of queues, leadning to below warnings New queues can't be registered after device unregistration. WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714 netdev_queue_update_kobjects+0x1e4/0x200", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38148", "url": "https://ubuntu.com/security/CVE-2025-38148", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: mscc: Fix memory leak when using one step timestamping Fix memory leak when running one-step timestamping. When running one-step sync timestamping, the HW is configured to insert the TX time into the frame, so there is no reason to keep the skb anymore. As in this case the HW will never generate an interrupt to say that the frame was timestamped, then the frame will never released. Fix this by freeing the frame in case of one-step timestamping.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38149", "url": "https://ubuntu.com/security/CVE-2025-38149", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phy_attach_direct() fails before calling device_link_add(), the code jumps to the \"error\" label and calls phy_detach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, device_link_del() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows. [ 24.702421] Call trace: [ 24.704856] device_link_put_kref+0x20/0x120 [ 24.709124] device_link_del+0x30/0x48 [ 24.712864] phy_detach+0x24/0x168 [ 24.716261] phy_attach_direct+0x168/0x3a4 [ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c [ 24.725140] phylink_of_phy_connect+0x1c/0x34 Therefore, phydev->devlink needs to be cleared when the device link is deleted.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38280", "url": "https://ubuntu.com/security/CVE-2025-38280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Modules linked in: CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 ... When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, but jit failed due to FAULT_INJECTION. As a result, incorrectly treats the program as valid, when the program runs it calls `__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38151", "url": "https://ubuntu.com/security/CVE-2025-38151", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work item currently in the work queue. However, it left a problem when queue_work fails (because the item is still pending in the work queue from a previous call). In this case, cma_id_put (which is called in the work handler) is therefore not called. This results in a userspace process hang (zombie process). Fix this by calling cma_id_put() if queue_work fails.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38153", "url": "https://ubuntu.com/security/CVE-2025-38153", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error handling of usbnet read calls Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\"). For instance, usbnet_read_cmd() may read fewer than 'size' bytes, even if the caller expected the full amount, and aqc111_read_cmd() will not check its result properly. As [1] shows, this may lead to MAC address in aqc111_bind() being only partly initialized, triggering KMSAN warnings. Fix the issue by verifying that the number of bytes read is as expected and not less. [1] Partial syzbot report: BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 is_valid_ether_addr include/linux/etherdevice.h:208 [inline] usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x4d1/0xd90 drivers/base/dd.c:658 __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 ... Uninit was stored to memory at: dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 __dev_addr_set include/linux/netdevice.h:4874 [inline] eth_hw_addr_set include/linux/etherdevice.h:325 [inline] aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 ... Uninit was stored to memory at: ether_addr_copy include/linux/etherdevice.h:305 [inline] aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] ... Local variable buf.i created at: aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38154", "url": "https://ubuntu.com/security/CVE-2025-38154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. Race conditions: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops->release() -> sock_map_close() sk_socket->ops = NULL free(socket) sock->ops->sendmsg ^ panic here ''' The ref of psock become 0 after sock_map_close() executed. ''' void sock_map_close() { ... if (likely(psock)) { ... // !! here we remove psock and the ref of psock become 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; <=== Control jumps here via goto ... cancel_delayed_work_sync(&psock->work); <=== not executed sk_psock_put(sk, psock); ... } ''' Based on the fact that we already wait for the workqueue to finish in sock_map_close() if psock is held, we simply increase the psock reference count to avoid race conditions. With this patch, if the backlog thread is running, sock_map_close() will wait for the backlog thread to complete and cancel all pending work. If no backlog running, any pending work that hasn't started by then will fail when invoked by sk_psock_get(), as the psock reference count have been zeroed, and sk_psock_drop() will cancel all jobs via cancel_delayed_work_sync(). In summary, we require synchronization to coordinate the backlog thread and close() thread. The panic I catched: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... '''", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38315", "url": "https://ubuntu.com/security/CVE-2025-38315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38155", "url": "https://ubuntu.com/security/CVE-2025-38155", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7915_mmio_wed_init().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38156", "url": "https://ubuntu.com/security/CVE-2025-38156", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7996_mmio_wed_init()", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38282", "url": "https://ubuntu.com/security/CVE-2025-38282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak -- callers don't use it afterwards but it's important for proper pairing of kn->active counting. Assuming this mechanism is in place, the WARN check in kernfs_should_drain_open_files() is too sensitive -- it may transiently catch those (rightful) callers between kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen Ridong: \tkernfs_remove_by_name_ns\tkernfs_get_active // active=1 \t__kernfs_remove\t\t\t\t\t // active=0x80000002 \tkernfs_drain\t\t\t... \twait_event \t//waiting (active == 0x80000001) \t\t\t\t\tkernfs_break_active_protection \t\t\t\t\t// active = 0x80000001 \t// continue \t\t\t\t\tkernfs_unbreak_active_protection \t\t\t\t\t// active = 0x80000002 \t... \tkernfs_should_drain_open_files \t// warning occurs \t\t\t\t\tkernfs_put_active To avoid the false positives (mind panic_on_warn) remove the check altogether. (This is meant as quick fix, I think active reference break/unbreak may be simplified with larger rework.)", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38157", "url": "https://ubuntu.com/security/CVE-2025-38157", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38283", "url": "https://ubuntu.com/security/CVE-2025-38283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt to perform device data migration, the address of the migrated data will be NULL. The live migration recovery operation on the destination side will access a null address value, which will cause access errors. Therefore, live migration of VMs without added VF device drivers does not require device data migration. In addition, when the queue address data obtained by the destination is empty, device queue recovery processing will not be performed.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38158", "url": "https://ubuntu.com/security/CVE-2025-38158", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration and results in guest kernel-mode encryption services failure. Comparing the definition of hardware registers, we found that there was an error when the data read from the register was combined into an address. Therefore, the address combination sequence needs to be corrected. Even after fixing the above problem, we still have an issue where the Guest from an old kernel can get migrated to new kernel and may result in wrong data. In order to ensure that the address is correct after migration, if an old magic number is detected, the dma address needs to be updated.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38159", "url": "https://ubuntu.com/security/CVE-2025-38159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38285", "url": "https://ubuntu.com/security/CVE-2025-38285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 Modules linked in: CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:204 [inline] stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 Tracepoint like trace_mmap_lock_acquire_returned may cause nested call as the corner case show above, which will be resolved with more general method in the future. As a result, WARN_ON_ONCE will be triggered. As Alexei suggested, remove the WARN_ON_ONCE first.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38286", "url": "https://ubuntu.com/security/CVE-2025-38286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38160", "url": "https://ubuntu.com/security/CVE-2025-38160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, raspberrypi_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38161", "url": "https://ubuntu.com/security/CVE-2025-38161", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x148 lr : refcount_warn_saturate+0xf4/0x148 sp : ffff80008b81b7e0 x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 Call trace: refcount_warn_saturate+0xf4/0x148 mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] ib_destroy_wq_user+0x30/0xc0 [ib_core] uverbs_free_wq+0x28/0x58 [ib_uverbs] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] ib_uverbs_close+0x2c/0x100 [ib_uverbs] __fput+0xd8/0x2f0 __fput_sync+0x50/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall.constprop.0+0x74/0xd0 do_el0_svc+0x48/0xe8 el0_svc+0x44/0x1d0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x1a4/0x1a8", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38162", "url": "https://ubuntu.com/security/CVE-2025-38162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38288", "url": "https://ubuntu.com/security/CVE-2025-38288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels Correct kernel call trace when calling smp_processor_id() when called in preemptible kernels by using raw_smp_processor_id(). smp_processor_id() checks to see if preemption is disabled and if not, issue an error message followed by a call to dump_stack(). Brief example of call trace: kernel: check_preemption_disabled: 436 callbacks suppressed kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u1025:0/2354 kernel: caller is pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: CPU: 129 PID: 2354 Comm: kworker/u1025:0 kernel: ... kernel: Workqueue: writeback wb_workfn (flush-253:0) kernel: Call Trace: kernel: kernel: dump_stack_lvl+0x34/0x48 kernel: check_preemption_disabled+0xdd/0xe0 kernel: pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: ...", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38290", "url": "https://ubuntu.com/security/CVE-2025-38290", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the \"arvifs\" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head \"arvifs\", but the next of the list head \"arvifs\" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head \"arvifs\" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute normally. Call trace: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38292", "url": "https://ubuntu.com/security/CVE-2025-38292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38163", "url": "https://ubuntu.com/security/CVE-2025-38163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 notify_change+0xbca/0xe90 fs/attr.c:552 do_truncate+0x222/0x310 fs/open.c:65 handle_truncate fs/namei.c:3466 [inline] do_open fs/namei.c:3849 [inline] path_openat+0x2e4f/0x35d0 fs/namei.c:4004 do_filp_open+0x284/0x4e0 fs/namei.c:4031 do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 do_sys_open fs/open.c:1444 [inline] __do_sys_creat fs/open.c:1522 [inline] __se_sys_creat fs/open.c:1516 [inline] __x64_sys_creat+0x124/0x170 fs/open.c:1516 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 The reason is: in fuzzed image, sbi->total_valid_block_count is inconsistent w/ mapped blocks indexed by inode, so, we should not trigger panic for such case, instead, let's print log and set fsck flag.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38317", "url": "https://ubuntu.com/security/CVE-2025-38317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix buffer overflow in debugfs If the user tries to write more than 32 bytes then it results in memory corruption. Fortunately, this is debugfs so it's limited to root users.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38164", "url": "https://ubuntu.com/security/CVE-2025-38164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: zone: fix to avoid inconsistence in between SIT and SSA w/ below testcase, it will cause inconsistence in between SIT and SSA. create_null_blk 512 2 1024 1024 mkfs.f2fs -m /dev/nullb0 mount /dev/nullb0 /mnt/f2fs/ touch /mnt/f2fs/file f2fs_io pinfile set /mnt/f2fs/file fallocate -l 4GiB /mnt/f2fs/file F2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT CPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84 Tainted: [O]=OOT_MODULE Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 Call Trace: dump_stack_lvl+0xb3/0xd0 dump_stack+0x14/0x20 f2fs_handle_critical_error+0x18c/0x220 [f2fs] f2fs_stop_checkpoint+0x38/0x50 [f2fs] do_garbage_collect+0x674/0x6e0 [f2fs] f2fs_gc_range+0x12b/0x230 [f2fs] f2fs_allocate_pinning_section+0x5c/0x150 [f2fs] f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs] f2fs_fallocate+0x3c3/0x410 [f2fs] vfs_fallocate+0x15f/0x4b0 __x64_sys_fallocate+0x4a/0x80 x64_sys_call+0x15e8/0x1b80 do_syscall_64+0x68/0x130 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f9dba5197ca F2FS-fs (nullb0): Stopped filesystem due to reason: 4 The reason is f2fs_gc_range() may try to migrate block in curseg, however, its SSA block is not uptodate due to the last summary block data is still in cache of curseg. In this patch, we add a condition in f2fs_gc_range() to check whether section is opened or not, and skip block migration for opened section.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38165", "url": "https://ubuntu.com/security/CVE-2025-38165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix panic when calling skb_linearize The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events sk_psock_backlog ... [ 657.469610] [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? do_trap+0x1d0/0x270 [ 657.470118] ? pskb_expand_head+0x612/0xf40 [ 657.470376] ? pskb_expand_head+0x612/0xf40 [ 657.470620] ? do_error_trap+0xa3/0x170 [ 657.470846] ? pskb_expand_head+0x612/0xf40 [ 657.471092] ? handle_invalid_op+0x2c/0x40 [ 657.471335] ? pskb_expand_head+0x612/0xf40 [ 657.471579] ? exc_invalid_op+0x2d/0x40 [ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 [ 657.472052] ? pskb_expand_head+0xd1/0xf40 [ 657.472292] ? pskb_expand_head+0x612/0xf40 [ 657.472540] ? lock_acquire+0x18f/0x4e0 [ 657.472766] ? find_held_lock+0x2d/0x110 [ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 [ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 [ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 [ 657.473826] __pskb_pull_tail+0xfd/0x1d20 [ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 [ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 [ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 [ 657.476010] sk_psock_backlog+0x5cf/0xd70 [ 657.476637] process_one_work+0x858/0x1a20 ''' The panic originates from the assertion BUG_ON(skb_shared(skb)) in skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed. The \"--rx-strp 100000\" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. ''' sk_psock_backlog: sk_psock_handle_skb skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' sk_psock_skb_ingress____________ ↓ | | → sk_psock_skb_ingress_self | sk_psock_skb_ingress_enqueue sk_psock_verdict_apply_________________↑ skb_linearize ''' Note that for verdict_apply path, the skb_get operation is unnecessary so we add 'take_ref' param to control it's behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38166", "url": "https://ubuntu.com/security/CVE-2025-38166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov_iter_revert+0x178/0x180 [ 2172.946031] ? iov_iter_revert+0x178/0x180 [ 2172.946267] ? do_error_trap+0x7d/0x110 [ 2172.946499] ? iov_iter_revert+0x178/0x180 [ 2172.946736] ? exc_invalid_op+0x50/0x70 [ 2172.946961] ? iov_iter_revert+0x178/0x180 [ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 [ 2172.947446] ? iov_iter_revert+0x178/0x180 [ 2172.947683] ? iov_iter_revert+0x5c/0x180 [ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 [ 2172.948206] tls_sw_sendmsg+0x52/0x80 [ 2172.948420] ? inet_sendmsg+0x1f/0x70 [ 2172.948634] __sys_sendto+0x1cd/0x200 [ 2172.948848] ? find_held_lock+0x2b/0x80 [ 2172.949072] ? syscall_trace_enter+0x140/0x270 [ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 [ 2172.949595] ? find_held_lock+0x2b/0x80 [ 2172.949817] ? syscall_trace_enter+0x140/0x270 [ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 [ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 [ 2172.951036] __x64_sys_sendto+0x24/0x30 [ 2172.951382] do_syscall_64+0x90/0x170 ...... After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, e.g., when the BPF program executes bpf_msg_push_data(). If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, it will return -ENOSPC and attempt to roll back to the non-zero copy logic. However, during rollback, msg->msg_iter is reset, but since msg_pl->sg.size has been increased, subsequent executions will exceed the actual size of msg_iter. ''' iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); ''' The changes in this commit are based on the following considerations: 1. When cork_bytes is set, rolling back to non-zero copy logic is pointless and can directly go to zero-copy logic. 2. We can not calculate the correct number of bytes to revert msg_iter. Assume the original data is \"abcdefgh\" (8 bytes), and after 3 pushes by the BPF program, it becomes 11-byte data: \"abc?de?fgh?\". Then, we set cork_bytes to 6, which means the first 6 bytes have been processed, and the remaining 5 bytes \"?fgh?\" will be cached until the length meets the cork_bytes requirement. However, some data in \"?fgh?\" is not within 'sg->msg_iter' (but in msg_pl instead), especially the data \"?\" we pushed. So it doesn't seem as simple as just reverting through an offset of msg_iter. 3. For non-TLS sockets in tcp_bpf_sendmsg, when a \"cork\" situation occurs, the user-space send() doesn't return an error, and the returned length is the same as the input length parameter, even if some data is cached. Additionally, I saw that the current non-zero-copy logic for handling corking is written as: ''' line 1177 else if (ret != -EAGAIN) { \tif (ret == -ENOSPC) \t\tret = 0; \tgoto send_end; ''' So it's ok to just return 'copied' without error when a \"cork\" situation occurs.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38293", "url": "https://ubuntu.com/security/CVE-2025-38293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the \"arvifs\" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head \"arvifs\", but the next of the list head \"arvifs\" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath11k_mac_op_remove_interface(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head \"arvifs\" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath11k_mac_op_remove_interface() can execute normally. Call trace: __list_del_entry_valid_or_report+0xb8/0xd0 ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] drv_remove_interface+0x48/0x194 [mac80211] ieee80211_do_stop+0x6e0/0x844 [mac80211] ieee80211_stop+0x44/0x17c [mac80211] __dev_close_many+0xac/0x150 __dev_change_flags+0x194/0x234 dev_change_flags+0x24/0x6c devinet_ioctl+0x3a0/0x670 inet_ioctl+0x200/0x248 sock_do_ioctl+0x60/0x118 sock_ioctl+0x274/0x35c __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x114 ... Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38295", "url": "https://ubuntu.com/security/CVE-2025-38295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses smp_processor_id(), which assumes disabled preemption. This leads to kernel warnings during module loading because meson_ddr_pmu_create() can be called in a preemptible context. Following kernel warning and stack trace: [ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289 [ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38 [ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0 [ 31.745181] [ T2289] Tainted: [W]=WARN [ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT) [ 31.745188] [ T2289] Call trace: [ 31.745191] [ T2289] show_stack+0x28/0x40 (C) [ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198 [ 31.745205] [ T2289] dump_stack+0x20/0x50 [ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0 [ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38 [ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745246] [ T2289] platform_probe+0x98/0xe0 [ 31.745254] [ T2289] really_probe+0x144/0x3f8 [ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180 [ 31.745261] [ T2289] driver_probe_device+0x54/0x268 [ 31.745264] [ T2289] __driver_attach+0x11c/0x288 [ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160 [ 31.745274] [ T2289] driver_attach+0x34/0x50 [ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0 [ 31.745281] [ T2289] driver_register+0x78/0x120 [ 31.745285] [ T2289] __platform_driver_register+0x30/0x48 [ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745298] [ T2289] do_one_initcall+0x11c/0x438 [ 31.745303] [ T2289] do_init_module+0x68/0x228 [ 31.745311] [ T2289] load_module+0x118c/0x13a8 [ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390 [ 31.745320] [ T2289] invoke_syscall+0x74/0x108 [ 31.745326] [ T2289] el0_svc_common+0x90/0xf8 [ 31.745330] [ T2289] do_el0_svc+0x2c/0x48 [ 31.745333] [ T2289] el0_svc+0x60/0x150 [ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118 [ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0 Changes replaces smp_processor_id() with raw_smp_processor_id() to ensure safe CPU ID retrieval in preemptible contexts.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38167", "url": "https://ubuntu.com/security/CVE-2025-38167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle hdr_first_de() return value The hdr_first_de() function returns a pointer to a struct NTFS_DE. This pointer may be NULL. To handle the NULL error effectively, it is important to implement an error handler. This will help manage potential errors consistently. Additionally, error handling for the return value already exists at other points where this function is called. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38318", "url": "https://ubuntu.com/security/CVE-2025-38318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Fix missing platform_set_drvdata() Add missing platform_set_drvdata in arm_ni_probe(), otherwise calling platform_get_drvdata() in remove returns NULL.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38168", "url": "https://ubuntu.com/security/CVE-2025-38168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device, we need to properly roll back all previously registered perf PMUs in other clock domains of the same device. Otherwise, it can lead to kernel panics. Calling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374 arm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000 arm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16 list_add corruption: next->prev should be prev (fffffd01e9698a18), but was 0000000000000000. (next=ffff10001a0decc8). pstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : list_add_valid_or_report+0x7c/0xb8 lr : list_add_valid_or_report+0x7c/0xb8 Call trace: __list_add_valid_or_report+0x7c/0xb8 perf_pmu_register+0x22c/0x3a0 arm_ni_probe+0x554/0x70c [arm_ni] platform_probe+0x70/0xe8 really_probe+0xc6/0x4d8 driver_probe_device+0x48/0x170 __driver_attach+0x8e/0x1c0 bus_for_each_dev+0x64/0xf0 driver_add+0x138/0x260 bus_add_driver+0x68/0x138 __platform_driver_register+0x2c/0x40 arm_ni_init+0x14/0x2a [arm_ni] do_init_module+0x36/0x298 ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38169", "url": "https://ubuntu.com/security/CVE-2025-38169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP On system with SME, a thread's kernel FPSIMD state may be erroneously clobbered during a context switch immediately after that state is restored. Systems without SME are unaffected. If the CPU happens to be in streaming SVE mode before a context switch to a thread with kernel FPSIMD state, fpsimd_thread_switch() will restore the kernel FPSIMD state using fpsimd_load_kernel_state() while the CPU is still in streaming SVE mode. When fpsimd_thread_switch() subsequently calls fpsimd_flush_cpu_state(), this will execute an SMSTOP, causing an exit from streaming SVE mode. The exit from streaming SVE mode will cause the hardware to reset a number of FPSIMD/SVE/SME registers, clobbering the FPSIMD state. Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel FPSIMD state.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38170", "url": "https://ubuntu.com/security/CVE-2025-38170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38319", "url": "https://ubuntu.com/security/CVE-2025-38319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve vram_info, it returns NULL which is later dereferenced.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38297", "url": "https://ubuntu.com/security/CVE-2025-38297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix potential division-by-zero error in em_compute_costs() When the device is of a non-CPU type, table[i].performance won't be initialized in the previous em_init_performance(), resulting in division by zero when calculating costs in em_compute_costs(). Since the 'cost' algorithm is only used for EAS energy efficiency calculations and is currently not utilized by other device drivers, we should add the _is_cpu_device(dev) check to prevent this division-by-zero issue.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38298", "url": "https://ubuntu.com/security/CVE-2025-38298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: EDAC/skx_common: Fix general protection fault After loading i10nm_edac (which automatically loads skx_edac_common), if unload only i10nm_edac, then reload it and perform error injection testing, a general protection fault may occur: mce: [Hardware Error]: Machine check events logged Oops: general protection fault ... ... Workqueue: events mce_gen_pool_process RIP: 0010:string+0x53/0xe0 ... Call Trace: ? die_addr+0x37/0x90 ? exc_general_protection+0x1e7/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? string+0x53/0xe0 vsnprintf+0x23e/0x4c0 snprintf+0x4d/0x70 skx_adxl_decode+0x16a/0x330 [skx_edac_common] skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] skx_mce_check_error+0x17/0x20 [skx_edac_common] ... The issue arose was because the variable 'adxl_component_count' (inside skx_edac_common), which counts the ADXL components, was not reset. During the reloading of i10nm_edac, the count was incremented by the actual number of ADXL components again, resulting in a count that was double the real number of ADXL components. This led to an out-of-bounds reference to the ADXL component array, causing the general protection fault above. Fix this issue by resetting the 'adxl_component_count' in adxl_put(), which is called during the unloading of {skx,i10nm}_edac.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38299", "url": "https://ubuntu.com/security/CVE-2025-38299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null. Avoid a crash if the device tree is not assigning a codec to these links. [ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 1.181065] Mem abort info: [ 1.181420] ESR = 0x0000000096000004 [ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.182576] SET = 0, FnV = 0 [ 1.182964] EA = 0, S1PTW = 0 [ 1.183367] FSC = 0x04: level 0 translation fault [ 1.183983] Data abort info: [ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1.186439] [0000000000000000] user address but active_mm is swapper [ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 1.188029] Modules linked in: [ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85 [ 1.189515] Hardware name: Radxa NIO 12L (DT) [ 1.190065] Workqueue: events_unbound deferred_probe_work_func [ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1.191683] pc : __pi_strcmp+0x24/0x140 [ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0 [ 1.192854] sp : ffff800083473970 [ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002 [ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88 [ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8 [ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff [ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006 [ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374 [ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018 [ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 [ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d [ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000 [ 1.202236] Call trace: [ 1.202545] __pi_strcmp+0x24/0x140 (P) [ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8 [ 1.203644] platform_probe+0x70/0xe8 [ 1.204106] really_probe+0xc8/0x3a0 [ 1.204556] __driver_probe_device+0x84/0x160 [ 1.205104] driver_probe_device+0x44/0x130 [ 1.205630] __device_attach_driver+0xc4/0x170 [ 1.206189] bus_for_each_drv+0x8c/0xf8 [ 1.206672] __device_attach+0xa8/0x1c8 [ 1.207155] device_initial_probe+0x1c/0x30 [ 1.207681] bus_probe_device+0xb0/0xc0 [ 1.208165] deferred_probe_work_func+0xa4/0x100 [ 1.208747] process_one_work+0x158/0x3e0 [ 1.209254] worker_thread+0x2c4/0x3e8 [ 1.209727] kthread+0x134/0x1f0 [ 1.210136] ret_from_fork+0x10/0x20 [ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402) [ 1.211355] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38172", "url": "https://ubuntu.com/security/CVE-2025-38172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid using multiple devices with different type For multiple devices, both primary and extra devices should be the same type. `erofs_init_device` has already guaranteed that if the primary is a file-backed device, extra devices should also be regular files. However, if the primary is a block device while the extra device is a file-backed device, `erofs_init_device` will get an ENOTBLK, which is not treated as an error in `erofs_fc_get_tree`, and that leads to an UAF: erofs_fc_get_tree get_tree_bdev_flags(erofs_fc_fill_super) erofs_read_superblock erofs_init_device // sbi->dif0 is not inited yet, // return -ENOTBLK deactivate_locked_super free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filp_open() // sbi UAF So if -ENOTBLK is hitted in `erofs_init_device`, it means the primary device must be a block device, and the extra device is not a block device. The error can be converted to -EINVAL.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38173", "url": "https://ubuntu.com/security/CVE-2025-38173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0.", "cve_priority": "medium", "cve_public_date": "2025-07-03 09:15:00 UTC" }, { "cve": "CVE-2025-38300", "url": "https://ubuntu.com/security/CVE-2025-38300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the \"theend_sgs\" error path, call dma unmap only if the corresponding dma map was successful. 2] If the dma_map_single() call for the IV fails, the device driver would try to free an invalid DMA memory address on the \"theend_iv\" path: ------------[ cut here ]------------ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 Modules linked in: skcipher_example(O+) CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT Tainted: [O]=OOT_MODULE Hardware name: OrangePi Zero2 (DT) pc : check_unmap+0x123c/0x1b90 lr : check_unmap+0x123c/0x1b90 ... Call trace: check_unmap+0x123c/0x1b90 (P) debug_dma_unmap_page+0xac/0xc0 dma_unmap_page_attrs+0x1f4/0x5fc sun8i_ce_cipher_do_one+0x1bd4/0x1f40 crypto_pump_work+0x334/0x6e0 kthread_worker_fn+0x21c/0x438 kthread+0x374/0x664 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- To fix this, check for !dma_mapping_error() before calling dma_unmap_single() on the \"theend_iv\" path.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38174", "url": "https://ubuntu.com/security/CVE-2025-38174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace: ? tb_cfg_request_dequeue+0x2d/0xa0 tb_cfg_request_work+0x33/0x80 worker_thread+0x386/0x8f0 kthread+0xed/0x110 ret_from_fork+0x38/0x50 ret_from_fork_asm+0x1b/0x30 The circumstances are unclear, however, the theory is that tb_cfg_request_work() can be scheduled twice for a request: first time via frame.callback from ring_work() and second time from tb_cfg_request(). Both times kworkers will execute tb_cfg_request_dequeue(), which results in double list_del() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122). Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE bit set.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38175", "url": "https://ubuntu.com/security/CVE-2025-38175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 (\"binderfs: fix use-after-free in binder_devices\") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed: ================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ================================================================== Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38176", "url": "https://ubuntu.com/security/CVE-2025-38176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in binderfs_evict_inode() Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699 CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: dump_stack_lvl+0x1c2/0x2a0 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 print_report+0x155/0x840 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 ? __phys_addr+0xba/0x170 ? binderfs_evict_inode+0x1de/0x2d0 kasan_report+0x147/0x180 ? binderfs_evict_inode+0x1de/0x2d0 binderfs_evict_inode+0x1de/0x2d0 ? __pfx_binderfs_evict_inode+0x10/0x10 evict+0x524/0x9f0 ? __pfx_lock_release+0x10/0x10 ? __pfx_evict+0x10/0x10 ? do_raw_spin_unlock+0x4d/0x210 ? _raw_spin_unlock+0x28/0x50 ? iput+0x697/0x9b0 __dentry_kill+0x209/0x660 ? shrink_kill+0x8d/0x2c0 shrink_kill+0xa9/0x2c0 shrink_dentry_list+0x2e0/0x5e0 shrink_dcache_parent+0xa2/0x2c0 ? __pfx_shrink_dcache_parent+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 do_one_tree+0x23/0xe0 shrink_dcache_for_umount+0xa0/0x170 generic_shutdown_super+0x67/0x390 kill_litter_super+0x76/0xb0 binderfs_kill_super+0x44/0x90 deactivate_locked_super+0xb9/0x130 cleanup_mnt+0x422/0x4c0 ? lockdep_hardirqs_on+0x9d/0x150 task_work_run+0x1d2/0x260 ? __pfx_task_work_run+0x10/0x10 resume_user_mode_work+0x52/0x60 syscall_exit_to_user_mode+0x9a/0x120 do_syscall_64+0x103/0x210 ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830 Allocated by task 1705: kasan_save_track+0x3e/0x80 __kasan_kmalloc+0x8f/0xa0 __kmalloc_cache_noprof+0x213/0x3e0 binderfs_binder_device_create+0x183/0xa80 binder_ctl_ioctl+0x138/0x190 __x64_sys_ioctl+0x120/0x1b0 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1705: kasan_save_track+0x3e/0x80 kasan_save_free_info+0x46/0x50 __kasan_slab_free+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 do_unlinkat+0x390/0x5b0 __x64_sys_unlink+0x47/0x50 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption. I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well.", "cve_priority": "medium", "cve_public_date": "2025-07-04 11:15:00 UTC" }, { "cve": "CVE-2025-38265", "url": "https://ubuntu.com/security/CVE-2025-38265", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1 RIP: 0010:serial_base_ctrl_add+0x96/0x120 Call Trace: serial_core_register_port+0x1a0/0x580 ? __setup_irq+0x39c/0x660 ? __kmalloc_cache_noprof+0x111/0x310 jsm_uart_port_init+0xe8/0x180 [jsm] jsm_probe_one+0x1f4/0x410 [jsm] local_pci_probe+0x42/0x90 pci_device_probe+0x22f/0x270 really_probe+0xdb/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8c/0xe0 bus_add_driver+0x112/0x1f0 driver_register+0x72/0xd0 jsm_init_module+0x36/0xff0 [jsm] ? __pfx_jsm_init_module+0x10/0x10 [jsm] do_one_initcall+0x58/0x310 do_init_module+0x60/0x230 Tested with Digi Neo PCIe 8 port card.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-38092", "url": "https://ubuntu.com/security/CVE-2025-38092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an invalid pointer. Use list_first_entry_or_null() to check if the list is empty.", "cve_priority": "medium", "cve_public_date": "2025-07-02 15:15:00 UTC" }, { "cve": "CVE-2025-38091", "url": "https://ubuntu.com/security/CVE-2025-38091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: check stream id dml21 wrapper to get plane_id [Why & How] Fix a false positive warning which occurs due to lack of correct checks when querying plane_id in DML21. This fixes the warning when performing a mode1 reset (cat /sys/kernel/debug/dri/1/amdgpu_gpu_recover): [ 35.751250] WARNING: CPU: 11 PID: 326 at /tmp/amd.PHpyAl7v/amd/amdgpu/../display/dc/dml2/dml2_dc_resource_mgmt.c:91 dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751434] Modules linked in: amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_ttm_helper ttm drm_display_helper cec rc_core i2c_algo_bit rfcomm qrtr cmac algif_hash algif_skcipher af_alg bnep amd_atl intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi snd_hda_intel edac_mce_amd snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_hda_core snd_hwdep snd_pcm kvm snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul polyval_clmulni polyval_generic btusb ghash_clmulni_intel sha256_ssse3 btrtl sha1_ssse3 snd_seq btintel aesni_intel btbcm btmtk snd_seq_device crypto_simd sunrpc cryptd bluetooth snd_timer ccp binfmt_misc rapl snd i2c_piix4 wmi_bmof gigabyte_wmi k10temp i2c_smbus soundcore gpio_amdpt mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igc ahci xhci_pci libahci xhci_pci_renesas video wmi [ 35.751501] CPU: 11 UID: 0 PID: 326 Comm: kworker/u64:9 Tainted: G OE 6.11.0-21-generic #21~24.04.1-Ubuntu [ 35.751504] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 35.751505] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F30 05/22/2024 [ 35.751506] Workqueue: amdgpu-reset-dev amdgpu_debugfs_reset_work [amdgpu] [ 35.751638] RIP: 0010:dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751794] Code: 6d 0c 00 00 8b 84 24 88 00 00 00 41 3b 44 9c 20 0f 84 fc 07 00 00 48 83 c3 01 48 83 fb 06 75 b3 4c 8b 64 24 68 4c 8b 6c 24 40 <0f> 0b b8 06 00 00 00 49 8b 94 24 a0 49 00 00 89 c3 83 f8 07 0f 87 [ 35.751796] RSP: 0018:ffffbfa3805d7680 EFLAGS: 00010246 [ 35.751798] RAX: 0000000000010000 RBX: 0000000000000006 RCX: 0000000000000000 [ 35.751799] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [ 35.751800] RBP: ffffbfa3805d78f0 R08: 0000000000000000 R09: 0000000000000000 [ 35.751801] R10: 0000000000000000 R11: 0000000000000000 R12: ffffbfa383249000 [ 35.751802] R13: ffffa0e68f280000 R14: ffffbfa383249658 R15: 0000000000000000 [ 35.751803] FS: 0000000000000000(0000) GS:ffffa0edbe580000(0000) knlGS:0000000000000000 [ 35.751804] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.751805] CR2: 00005d847ef96c58 CR3: 000000041de3e000 CR4: 0000000000f50ef0 [ 35.751806] PKRU: 55555554 [ 35.751807] Call Trace: [ 35.751810] [ 35.751816] ? show_regs+0x6c/0x80 [ 35.751820] ? __warn+0x88/0x140 [ 35.751822] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751964] ? report_bug+0x182/0x1b0 [ 35.751969] ? handle_bug+0x6e/0xb0 [ 35.751972] ? exc_invalid_op+0x18/0x80 [ 35.751974] ? asm_exc_invalid_op+0x1b/0x20 [ 35.751978] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.752117] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752256] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752260] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752400] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752403] ? math_pow+0x11/0xa0 [amdgpu] [ 35.752524] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752526] ? core_dcn4_mode_programming+0xe4d/0x20d0 [amdgpu] [ 35.752663] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752669] dml21_validate+0x3d4/0x980 [amdgpu] (cherry picked from commit f8ad62c0a93e5dd94243e10f1b742232e4d6411e)", "cve_priority": "medium", "cve_public_date": "2025-07-02 15:15:00 UTC" }, { "cve": "CVE-2025-38082", "url": "https://ubuntu.com/security/CVE-2025-38082", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max available space in \"simple_write_to_buffer\". Check that the input size does not exceed the buffer size. Write a zero termination afterwards.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38050", "url": "https://ubuntu.com/security/CVE-2025-38050", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38029", "url": "https://ubuntu.com/security/CVE-2025-38029", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38076", "url": "https://ubuntu.com/security/CVE-2025-38076", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: alloc_tag: allocate percpu counters for module tags dynamically When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by free_module(). This will lead to UAF if the memory allocated by a module is accessed after module was unloaded. To fix this we allocate percpu counters for module allocation tags dynamically and we keep it alive for tags which are still in use after module unloading. This also removes the requirement of a larger PERCPU_MODULE_RESERVE when memory allocation profiling is enabled because percpu memory for counters does not need to be reserved anymore.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38051", "url": "https://ubuntu.com/security/CVE-2025-38051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38077", "url": "https://ubuntu.com/security/CVE-2025-38077", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38078", "url": "https://ubuntu.com/security/CVE-2025-38078", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38003", "url": "https://ubuntu.com/security/CVE-2025-38003", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection.", "cve_priority": "medium", "cve_public_date": "2025-06-08 11:15:00 UTC" }, { "cve": "CVE-2025-38004", "url": "https://ubuntu.com/security/CVE-2025-38004", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too.", "cve_priority": "medium", "cve_public_date": "2025-06-08 11:15:00 UTC" }, { "cve": "CVE-2025-38031", "url": "https://ubuntu.com/security/CVE-2025-38031", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm \"cryptomgr_probe\", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38079", "url": "https://ubuntu.com/security/CVE-2025-38079", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38052", "url": "https://ubuntu.com/security/CVE-2025-38052", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 Call Trace: kasan_report+0xd9/0x110 mm/kasan/report.c:601 tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 crypto_request_complete include/crypto/algapi.h:266 aead_request_complete include/crypto/internal/aead.h:85 cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772 crypto_request_complete include/crypto/algapi.h:266 cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 Allocated by task 8355: kzalloc_noprof include/linux/slab.h:778 tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466 tipc_init_net+0x2dd/0x430 net/tipc/core.c:72 ops_init+0xb9/0x650 net/core/net_namespace.c:139 setup_net+0x435/0xb40 net/core/net_namespace.c:343 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x419/0x970 kernel/fork.c:3323 __do_sys_unshare kernel/fork.c:3394 Freed by task 63: kfree+0x12a/0x3b0 mm/slub.c:4557 tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539 tipc_exit_net+0x8c/0x110 net/tipc/core.c:119 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done may still visit it in cryptd_queue_worker workqueue. I reproduce this issue by: ip netns add ns1 ip link add veth1 type veth peer name veth2 ip link set veth1 netns ns1 ip netns exec ns1 tipc bearer enable media eth dev veth1 ip netns exec ns1 tipc node set key this_is_a_master_key master ip netns exec ns1 tipc bearer disable media eth dev veth1 ip netns del ns1 The key of reproduction is that, simd_aead_encrypt is interrupted, leading to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is triggered, and the tipc_crypto tx will be visited. tipc_disc_timeout tipc_bearer_xmit_skb tipc_crypto_xmit tipc_aead_encrypt crypto_aead_encrypt // encrypt() simd_aead_encrypt // crypto_simd_usable() is false child = &ctx->cryptd_tfm->base; simd_aead_encrypt crypto_aead_encrypt // encrypt() cryptd_aead_encrypt_enqueue cryptd_aead_enqueue cryptd_enqueue_request // trigger cryptd_queue_worker queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work) Fix this by holding net reference count before encrypt.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38053", "url": "https://ubuntu.com/security/CVE-2025-38053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ...", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38032", "url": "https://ubuntu.com/security/CVE-2025-38032", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mr: consolidate the ipmr_can_free_table() checks. Guoyu Yin reported a splat in the ipmr netns cleanup path: WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_free_table net/ipv4/ipmr.c:440 [inline] WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Modules linked in: CPU: 2 UID: 0 PID: 14564 Comm: syz.4.838 Not tainted 6.14.0 #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ipmr_free_table net/ipv4/ipmr.c:440 [inline] RIP: 0010:ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361 Code: ff df 48 c1 ea 03 80 3c 02 00 75 7d 48 c7 83 60 05 00 00 00 00 00 00 5b 5d 41 5c 41 5d 41 5e e9 71 67 7f 00 e8 4c 2d 8a fd 90 <0f> 0b 90 eb 93 e8 41 2d 8a fd 0f b6 2d 80 54 ea 01 31 ff 89 ee e8 RSP: 0018:ffff888109547c58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888108c12dc0 RCX: ffffffff83e09868 RDX: ffff8881022b3300 RSI: ffffffff83e098d4 RDI: 0000000000000005 RBP: ffff888104288000 R08: 0000000000000000 R09: ffffed10211825c9 R10: 0000000000000001 R11: ffff88801816c4a0 R12: 0000000000000001 R13: ffff888108c13320 R14: ffff888108c12dc0 R15: fffffbfff0b74058 FS: 00007f84f39316c0(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f84f3930f98 CR3: 0000000113b56000 CR4: 0000000000350ef0 Call Trace: ipmr_net_exit_batch+0x50/0x90 net/ipv4/ipmr.c:3160 ops_exit_list+0x10c/0x160 net/core/net_namespace.c:177 setup_net+0x47d/0x8e0 net/core/net_namespace.c:394 copy_net_ns+0x25d/0x410 net/core/net_namespace.c:516 create_new_namespaces+0x3f6/0xaf0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc3/0x180 kernel/nsproxy.c:228 ksys_unshare+0x78d/0x9a0 kernel/fork.c:3342 __do_sys_unshare kernel/fork.c:3413 [inline] __se_sys_unshare kernel/fork.c:3411 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3411 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f84f532cc29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f84f3931038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f84f5615fa0 RCX: 00007f84f532cc29 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000400 RBP: 00007f84f53fba18 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f84f5615fa0 R15: 00007fff51c5f328 The running kernel has CONFIG_IP_MROUTE_MULTIPLE_TABLES disabled, and the sanity check for such build is still too loose. Address the issue consolidating the relevant sanity check in a single helper regardless of the kernel configuration. Also share it between the ipv4 and ipv6 code.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38054", "url": "https://ubuntu.com/security/CVE-2025-38054", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: Limit signal/freq counts in summary output functions The debugfs summary output could access uninitialized elements in the freq_in[] and signal_out[] arrays, causing NULL pointer dereferences and triggering a kernel Oops (page_fault_oops). This patch adds u8 fields (nr_freq_in, nr_signal_out) to track the number of initialized elements, with a maximum of 4 per array. The summary output functions are updated to respect these limits, preventing out-of-bounds access and ensuring safe array handling. Widen the label variables because the change confuses GCC about max length of the strings.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38055", "url": "https://ubuntu.com/security/CVE-2025-38055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes. The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway. Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38057", "url": "https://ubuntu.com/security/CVE-2025-38057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38058", "url": "https://ubuntu.com/security/CVE-2025-38058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38033", "url": "https://ubuntu.com/security/CVE-2025-38033", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Calling core::fmt::write() from rust code while FineIBT is enabled results in a kernel panic: [ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132! [ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G U O 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599 [ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE [ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0 ... [ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20 [ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 <66> 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7 [ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246 [ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 [ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88 [ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070 [ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8 [ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000 [ 4614.474473] ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10 [ 4614.484118] ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250 This happens because core::fmt::write() calls core::fmt::rt::Argument::fmt(), which currently has CFI disabled: library/core/src/fmt/rt.rs: 171 // FIXME: Transmuting formatter in new and indirectly branching to/calling 172 // it here is an explicit CFI violation. 173 #[allow(inline_no_sanitize)] 174 #[no_sanitize(cfi, kcfi)] 175 #[inline] 176 pub(super) unsafe fn fmt(&self, f: &mut Formatter<'_>) -> Result { This causes a Control Protection exception, because FineIBT has sealed off the original function's endbr64. This makes rust currently incompatible with FineIBT. Add a Kconfig dependency that prevents FineIBT from getting turned on by default if rust is enabled. [ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1], and thus we relaxed the condition with Rust >= 1.88. When `objtool` lands checking for this with e.g. [2], the plan is to ideally run that in upstream Rust's CI to prevent regressions early [3], since we do not control `core`'s source code. Alice tested the Rust PR backported to an older compiler. Peter would like that Rust provides a stable `core` which can be pulled into the kernel: \"Relying on that much out of tree code is 'unfortunate'\". - Miguel ] [ Reduced splat. - Miguel ]", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38059", "url": "https://ubuntu.com/security/CVE-2025-38059", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option \"rescue=idatacsums\" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38034", "url": "https://ubuntu.com/security/CVE-2025-38034", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable Perform some writeback operations. Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38035", "url": "https://ubuntu.com/security/CVE-2025-38035", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: don't restore null sk_state_change queue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if the TCP connection isn't established when nvmet_tcp_set_queue_sock() is called then queue->state_change isn't set and sock->sk->sk_state_change isn't replaced. As such we don't need to restore sock->sk->sk_state_change if queue->state_change is NULL. This avoids NULL pointer dereferences such as this: [ 286.462026][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 286.462814][ C0] #PF: supervisor instruction fetch in kernel mode [ 286.463796][ C0] #PF: error_code(0x0010) - not-present page [ 286.464392][ C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0 [ 286.465086][ C0] Oops: Oops: 0010 [#1] SMP KASAN PTI [ 286.465559][ C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary) [ 286.466393][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 286.467147][ C0] RIP: 0010:0x0 [ 286.467420][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 286.467977][ C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246 [ 286.468425][ C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43 [ 286.469019][ C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100 [ 286.469545][ C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c [ 286.470072][ C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3 [ 286.470585][ C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268 [ 286.471070][ C0] FS: 00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000 [ 286.471644][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 286.472543][ C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0 [ 286.473500][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 286.474467][ C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 [ 286.475453][ C0] Call Trace: [ 286.476102][ C0] [ 286.476719][ C0] tcp_fin+0x2bb/0x440 [ 286.477429][ C0] tcp_data_queue+0x190f/0x4e60 [ 286.478174][ C0] ? __build_skb_around+0x234/0x330 [ 286.478940][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.479659][ C0] ? __pfx_tcp_data_queue+0x10/0x10 [ 286.480431][ C0] ? tcp_try_undo_loss+0x640/0x6c0 [ 286.481196][ C0] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 286.482046][ C0] ? kvm_clock_get_cycles+0x14/0x30 [ 286.482769][ C0] ? ktime_get+0x66/0x150 [ 286.483433][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.484146][ C0] tcp_rcv_established+0x6e4/0x2050 [ 286.484857][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.485523][ C0] ? ipv4_dst_check+0x160/0x2b0 [ 286.486203][ C0] ? __pfx_tcp_rcv_established+0x10/0x10 [ 286.486917][ C0] ? lock_release+0x217/0x2c0 [ 286.487595][ C0] tcp_v4_do_rcv+0x4d6/0x9b0 [ 286.488279][ C0] tcp_v4_rcv+0x2af8/0x3e30 [ 286.488904][ C0] ? raw_local_deliver+0x51b/0xad0 [ 286.489551][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.490198][ C0] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 286.490813][ C0] ? __pfx_raw_local_deliver+0x10/0x10 [ 286.491487][ C0] ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack] [ 286.492275][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.492900][ C0] ip_protocol_deliver_rcu+0x8f/0x370 [ 286.493579][ C0] ip_local_deliver_finish+0x297/0x420 [ 286.494268][ C0] ip_local_deliver+0x168/0x430 [ 286.494867][ C0] ? __pfx_ip_local_deliver+0x10/0x10 [ 286.495498][ C0] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 286.496204][ C0] ? ip_rcv_finish_core+0x19a/0x1f20 [ 286.496806][ C0] ? lock_release+0x217/0x2c0 [ 286.497414][ C0] ip_rcv+0x455/0x6e0 [ 286.497945][ C0] ? __pfx_ip_rcv+0x10/0x10 [ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38036", "url": "https://ubuntu.com/security/CVE-2025-38036", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/vf: Perform early GT MMIO initialization to read GMDID VFs need to communicate with the GuC to obtain the GMDID value and existing GuC functions used for that assume that the GT has it's MMIO members already setup. However, due to recent refactoring the gt->mmio is initialized later, and any attempt by the VF to use xe_mmio_read|write() from GuC functions will lead to NPD crash due to unset MMIO register address: [] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode [] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507 [] BUG: unable to handle page fault for address: 0000000000190240 Since we are already tweaking the id and type of the primary GT to mimic it's a Media GT before initializing the GuC communication, we can also call xe_gt_mmio_init() to perform early setup of the gt->mmio which will make those GuC functions work again.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38037", "url": "https://ubuntu.com/security/CVE-2025-38037", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vxlan: Annotate FDB data races The 'used' and 'updated' fields in the FDB entry structure can be accessed concurrently by multiple threads, leading to reports such as [1]. Can be reproduced using [2]. Suppress these reports by annotating these accesses using READ_ONCE() / WRITE_ONCE(). [1] BUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit write to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0: vxlan_xmit+0xb29/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff942604d263a8 of 8 bytes by task 287 on cpu 2: vxlan_xmit+0xadf/0x2380 dev_hard_start_xmit+0x84/0x2f0 __dev_queue_xmit+0x45a/0x1650 packet_xmit+0x100/0x150 packet_sendmsg+0x2114/0x2ac0 __sys_sendto+0x318/0x330 __x64_sys_sendto+0x76/0x90 x64_sys_call+0x14e8/0x1c00 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000000fffbac6e -> 0x00000000fffbac6f Reported by Kernel Concurrency Sanitizer on: CPU: 2 UID: 0 PID: 287 Comm: mausezahn Not tainted 6.13.0-rc7-01544-gb4b270f11a02 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [2] #!/bin/bash set +H echo whitelist > /sys/kernel/debug/kcsan echo !vxlan_xmit > /sys/kernel/debug/kcsan ip link add name vx0 up type vxlan id 10010 dstport 4789 local 192.0.2.1 bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 198.51.100.1 taskset -c 0 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q & taskset -c 2 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38038", "url": "https://ubuntu.com/security/CVE-2025-38038", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost set_boost is a per-policy function call, hence a driver wide lock is unnecessary. Also this mutex_acquire can collide with the mutex_acquire from the mode-switch path in status_store(), which can lead to a deadlock. So, remove it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38039", "url": "https://ubuntu.com/security/CVE-2025-38039", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled When attempting to enable MQPRIO while HTB offload is already configured, the driver currently returns `-EINVAL` and triggers a `WARN_ON`, leading to an unnecessary call trace. Update the code to handle this case more gracefully by returning `-EOPNOTSUPP` instead, while also providing a helpful user message.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38080", "url": "https://ubuntu.com/security/CVE-2025-38080", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38060", "url": "https://ubuntu.com/security/CVE-2025-38060", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->cur_state->loop_entry should always be NULL after pop_stack(). See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix. This change has some verification performance impact for selftests: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- ------------- arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%) And significant negative impact for sched_ext: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------ bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scx_qmap.bpf.o qmap_dispatch ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38040", "url": "https://ubuntu.com/security/CVE-2025-38040", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38061", "url": "https://ubuntu.com/security/CVE-2025-38061", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer).", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38062", "url": "https://ubuntu.com/security/CVE-2025-38062", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated. 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address. This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However, there is no locking at the irq layer that helps protect the lifetime. Today, this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel, as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached. Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the \"container\" after starting up. However, iommufd has improved this so that the iommu domain can be changed during VFIO operation. This potentially allows userspace to directly race VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()). This potentially causes both the cookie pointer and the unlocked call to iommu_get_domain_for_dev() on the MSI translation path to become UAFs. Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA address is already known during iommu_dma_prepare_msi() and cannot change. Thus, it can simply be stored as an integer in the MSI descriptor. The other UAF related to iommu_get_domain_for_dev() will be addressed in patch \"iommu: Make iommu_dma_prepare_msi() into a generic operation\" by using the IOMMU group mutex.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38041", "url": "https://ubuntu.com/security/CVE-2025-38041", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes The H616 manual does not state that the GPU PLL supports dynamic frequency configuration, so we must take extra care when changing the frequency. Currently any attempt to do device DVFS on the GPU lead to panfrost various ooops, and GPU hangs. The manual describes the algorithm for changing the PLL frequency, which the CPU PLL notifier code already support, so we reuse that to reparent the GPU clock to GPU1 clock during frequency changes.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38063", "url": "https://ubuntu.com/security/CVE-2025-38063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exists in upstream: crash> bt 2091206 PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: \"kworker/u260:0\" #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8 #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4 #2 [ffff800084a2f880] schedule at ffff800040bfa4b4 #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4 #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0 #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254 #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38 #8 [ffff800084a2fa60] generic_make_request at ffff800040570138 #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4 #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs] #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs] #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs] #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs] #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs] #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs] #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08 #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc #18 [ffff800084a2fe70] kthread at ffff800040118de4 After commit 2def2845cc33 (\"xfs: don't allow log IO to be throttled\"), the metadata submitted by xlog_write_iclog() should not be throttled. But due to the existence of the dm layer, throttling flush_bio indirectly causes the metadata bio to be throttled. Fix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes wbt_should_throttle() return false to avoid wbt_wait().", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38064", "url": "https://ubuntu.com/security/CVE-2025-38064", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio: break and reset virtio devices on device_shutdown() Hongyu reported a hang on kexec in a VM. QEMU reported invalid memory accesses during the hang. \tInvalid read at addr 0x102877002, size 2, region '(null)', reason: rejected \tInvalid write at addr 0x102877A44, size 2, region '(null)', reason: rejected \t... It was traced down to virtio-console. Kexec works fine if virtio-console is not in use. The issue is that virtio-console continues to write to the MMIO even after underlying virtio-pci device is reset. Additionally, Eric noticed that IOMMUs are reset before devices, if devices are not reset on shutdown they continue to poke at guest memory and get errors from the IOMMU. Some devices get wedged then. The problem can be solved by breaking all virtio devices on virtio bus shutdown, then resetting them.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38042", "url": "https://ubuntu.com/security/CVE-2025-38042", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn The user of k3_udma_glue_reset_rx_chn() e.g. ti_am65_cpsw_nuss can run on multiple platforms having different DMA architectures. On some platforms there can be one FDQ for all flows in the RX channel while for others there is a separate FDQ for each flow in the RX channel. So far we have been relying on the skip_fdq argument of k3_udma_glue_reset_rx_chn(). Instead of relying on the user to provide this information, infer it based on DMA architecture during k3_udma_glue_request_rx_chn() and save it in an internal flag 'single_fdq'. Use that flag at k3_udma_glue_reset_rx_chn() to deicide if the FDQ needs to be cleared for every flow or just for flow 0. Fixes the below issue on ti_am65_cpsw_nuss driver on AM62-SK. > ip link set eth1 down > ip link set eth0 down > ethtool -L eth0 rx 8 > ip link set eth0 up > modprobe -r ti_am65_cpsw_nuss [ 103.045726] ------------[ cut here ]------------ [ 103.050505] k3_knav_desc_pool size 512000 != avail 64000 [ 103.050703] WARNING: CPU: 1 PID: 450 at drivers/net/ethernet/ti/k3-cppi-desc-pool.c:33 k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.068810] Modules linked in: ti_am65_cpsw_nuss(-) k3_cppi_desc_pool snd_soc_hdmi_codec crct10dif_ce snd_soc_simple_card snd_soc_simple_card_utils display_connector rtc_ti_k3 k3_j72xx_bandgap tidss drm_client_lib snd_soc_davinci_mcas p drm_dma_helper tps6598x phylink snd_soc_ti_udma rti_wdt drm_display_helper snd_soc_tlv320aic3x_i2c typec at24 phy_gmii_sel snd_soc_ti_edma snd_soc_tlv320aic3x sii902x snd_soc_ti_sdma sa2ul omap_mailbox drm_kms_helper authenc cfg80211 r fkill fuse drm drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [last unloaded: k3_cppi_desc_pool] [ 103.119950] CPU: 1 UID: 0 PID: 450 Comm: modprobe Not tainted 6.13.0-rc7-00001-g9c5e3435fa66 #1011 [ 103.119968] Hardware name: Texas Instruments AM625 SK (DT) [ 103.119974] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 103.119983] pc : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.148007] lr : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] [ 103.154709] sp : ffff8000826ebbc0 [ 103.158015] x29: ffff8000826ebbc0 x28: ffff0000090b6300 x27: 0000000000000000 [ 103.165145] x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000019df6b0 [ 103.172271] x23: ffff0000019df6b8 x22: ffff0000019df410 x21: ffff8000826ebc88 [ 103.179397] x20: 000000000007d000 x19: ffff00000a3b3000 x18: 0000000000000000 [ 103.186522] x17: 0000000000000000 x16: 0000000000000000 x15: 000001e8c35e1cde [ 103.193647] x14: 0000000000000396 x13: 000000000000035c x12: 0000000000000000 [ 103.200772] x11: 000000000000003a x10: 00000000000009c0 x9 : ffff8000826eba20 [ 103.207897] x8 : ffff0000090b6d20 x7 : ffff00007728c180 x6 : ffff00007728c100 [ 103.215022] x5 : 0000000000000001 x4 : ffff000000508a50 x3 : ffff7ffff6146000 [ 103.222147] x2 : 0000000000000000 x1 : e300b4173ee6b200 x0 : 0000000000000000 [ 103.229274] Call trace: [ 103.231714] k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] (P) [ 103.238408] am65_cpsw_nuss_free_rx_chns+0x28/0x4c [ti_am65_cpsw_nuss] [ 103.244942] devm_action_release+0x14/0x20 [ 103.249040] release_nodes+0x3c/0x68 [ 103.252610] devres_release_all+0x8c/0xdc [ 103.256614] device_unbind_cleanup+0x18/0x60 [ 103.260876] device_release_driver_internal+0xf8/0x178 [ 103.266004] driver_detach+0x50/0x9c [ 103.269571] bus_remove_driver+0x6c/0xbc [ 103.273485] driver_unregister+0x30/0x60 [ 103.277401] platform_driver_unregister+0x14/0x20 [ 103.282096] am65_cpsw_nuss_driver_exit+0x18/0xff4 [ti_am65_cpsw_nuss] [ 103.288620] __arm64_sys_delete_module+0x17c/0x25c [ 103.293404] invoke_syscall+0x44/0x100 [ 103.297149] el0_svc_common.constprop.0+0xc0/0xe0 [ 103.301845] do_el0_svc+0x1c/0x28 [ 103.305155] el0_svc+0x28/0x98 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38043", "url": "https://ubuntu.com/security/CVE-2025-38043", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38044", "url": "https://ubuntu.com/security/CVE-2025-38044", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38065", "url": "https://ubuntu.com/security/CVE-2025-38065", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38066", "url": "https://ubuntu.com/security/CVE-2025-38066", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object. Reproduce steps: 1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata. cat <> cmeta.xml EOF dmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\" cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2 dmsetup remove cmeta 2. wipe the second array block of the mapping array to simulate data degradations. mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\ 2>/dev/null | hexdump -e '1/8 \"%u\\n\"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\ 2>/dev/null | hexdump -e '1/8 \"%u\\n\"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try bringing up the cache device. The resume is expected to fail due to the broken array block. dmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\" dmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\" dmsetup create corig --table \"0 524288 linear /dev/sdc 262144\" dmsetup create cache --notable dmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\" dmsetup resume cache 4. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings. dmsetup resume cache Kernel logs: (snip) ------------[ cut here ]------------ kernel BUG at drivers/md/dm-cache-policy-smq.c:752! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3 RIP: 0010:smq_load_mapping+0x3e5/0x570 Fix by disallowing resume operations for devices that failed the initial attempt.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38068", "url": "https://ubuntu.com/security/CVE-2025-38068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38069", "url": "https://ubuntu.com/security/CVE-2025-38069", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops Fix a kernel oops found while testing the stm32_pcie Endpoint driver with handling of PERST# deassertion: During EP initialization, pci_epf_test_alloc_space() allocates all BARs, which are further freed if epc_set_bar() fails (for instance, due to no free inbound window). However, when pci_epc_set_bar() fails, the error path: pci_epc_set_bar() -> pci_epf_free_space() does not clear the previous assignment to epf_test->reg[bar]. Then, if the host reboots, the PERST# deassertion restarts the BAR allocation sequence with the same allocation failure (no free inbound window), creating a double free situation since epf_test->reg[bar] was deallocated and is still non-NULL. Thus, make sure that pci_epf_alloc_space() and pci_epf_free_space() invocations are symmetric, and as such, set epf_test->reg[bar] to NULL when memory is freed. [kwilczynski: commit log]", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38045", "url": "https://ubuntu.com/security/CVE-2025-38045", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly. Now we implemented the dump split and do the FW reset only in the middle of the dump (rather than the FW killing itself on error.) As a result, some of the actions taken when applying the config will now crash the device, so we need to fix the order.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38070", "url": "https://ubuntu.com/security/CVE-2025-38070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: Add NULL check in sma1307_setting_loaded() All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added. This issue is found by our static analysis tool", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38071", "url": "https://ubuntu.com/security/CVE-2025-38071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_phys_free() to throw the first 4 MiB of physical memory to the wolves. At a minimum it should fail gracefully with a meaningful diagnostic, but in fact everything seems to work fine without the weird reserve allocation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38072", "url": "https://ubuntu.com/security/CVE-2025-38072", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38081", "url": "https://ubuntu.com/security/CVE-2025-38081", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38047", "url": "https://ubuntu.com/security/CVE-2025-38047", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fred: Fix system hang during S4 resume with FRED enabled Upon a wakeup from S4, the restore kernel starts and initializes the FRED MSRs as needed from its perspective. It then loads a hibernation image, including the image kernel, and attempts to load image pages directly into their original page frames used before hibernation unless those frames are currently in use. Once all pages are moved to their original locations, it jumps to a \"trampoline\" page in the image kernel. At this point, the image kernel takes control, but the FRED MSRs still contain values set by the restore kernel, which may differ from those set by the image kernel before hibernation. Therefore, the image kernel must ensure the FRED MSRs have the same values as before hibernation. Since these values depend only on the location of the kernel text and data, they can be recomputed from scratch.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38073", "url": "https://ubuntu.com/security/CVE-2025-38073", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case that set_blocksize can change i_blksize and the folio order in a manner that conflicts with a concurrent reader and causes a kernel crash. Specifically, let's say that udev-worker calls libblkid to detect the labels on a block device. The read call can create an order-0 folio to read the first 4096 bytes from the disk. But then udev is preempted. Next, someone tries to mount an 8k-sectorsize filesystem from the same block device. The filesystem calls set_blksize, which sets i_blksize to 8192 and the minimum folio order to 1. Now udev resumes, still holding the order-0 folio it allocated. It then tries to schedule a read bio and do_mpage_readahead tries to create bufferheads for the folio. Unfortunately, blocks_per_folio == 0 because the page size is 4096 but the blocksize is 8192 so no bufferheads are attached and the bh walk never sets bdev. We then submit the bio with a NULL block device and crash. Therefore, truncate the page cache after flushing but before updating i_blksize. However, that's not enough -- we also need to lock out file IO and page faults during the update. Take both the i_rwsem and the invalidate_lock in exclusive mode for invalidations, and in shared mode for read/write operations. I don't know if this is the correct fix, but xfs/259 found it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38048", "url": "https://ubuntu.com/security/CVE-2025-38048", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38075", "url": "https://ubuntu.com/security/CVE-2025-38075", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod] call_timer_fn+0x58/0x1f0 run_timer_softirq+0x740/0x860 __do_softirq+0x16c/0x420 irq_exit+0x188/0x1c0 timer_interrupt+0x184/0x410 That is because nopin response timer may be re-started on nopin timer expiration. Stop nopin timer before stopping the nopin response timer to be sure that no one of them will be re-started.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-32.32 -proposed tracker (LP: #2121653)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", "", " * Pytorch reports incorrect GPU memory causing \"HIP Out of Memory\" errors", " (LP: #2120454)", " - drm/amdkfd: add a new flag to manage where VRAM allocations go", " - drm/amdkfd: use GTT for VRAM on APUs only if GTT is larger", "", " * nvme no longer detected on boot after upgrade to 6.8.0-60 (LP: #2111521)", " - SAUCE: PCI: Disable RRS polling for Intel SSDPE2KX020T8 nvme", "", " * kernel panic when reloading apparmor 5.0.0 profiles (LP: #2120233)", " - SAUCE: apparmor5.0.0 [59/53]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * [SRU] Add support for ALC1708 codec on TRBL platform (LP: #2116247)", " - ASoC: Intel: soc-acpi-intel-lnl-match: add rt1320_l12_rt714_l0 support", "", " * [SRU] Add waiting latency for USB port resume (LP: #2115478)", " - usb: hub: fix detection of high tier USB3 devices behind suspended hubs", " - usb: hub: Fix flushing and scheduling of delayed work that tunes runtime", " pm", " - usb: hub: Fix flushing of delayed work used for post resume purposes", "", " * minimal kernel lacks modules for blk disk in arm64 openstack environments", " where config_drive is required (LP: #2118499)", " - [Config] Enable SYM53C8XX_2 on arm64", "", " * Support xe2_hpg (LP: #2116175)", " - drm/xe/xe2_hpg: Add PCI IDs for xe2_hpg", " - drm/xe/xe2_hpg: Define additional Xe2_HPG GMD_ID", " - drm/xe/xe2_hpg: Add set of workarounds", " - drm/xe/xe2hpg: Add Wa_16025250150", "", " * drm/xe: Lite restore breaks fdinfo drm-cycles-rcs reporting (LP: #2119526)", " - drm/xe: Add WA BB to capture active context utilization", " - drm/xe/lrc: Use a temporary buffer for WA BB", "", " * No IP Address assigned after hot-plugging Ethernet cable on HP Platform", " (LP: #2115393)", " - Revert \"e1000e: change k1 configuration on MTP and later platforms\"", "", " * I/O performance regression on NVMes under same bridge (dual port nvme)", " (LP: #2115738)", " - iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes", " - iommu/vt-d: Split intel_iommu_domain_alloc_paging_flags()", " - iommu/vt-d: Create unique domain ops for each stage", " - iommu/vt-d: Split intel_iommu_enforce_cache_coherency()", " - iommu/vt-d: Split paging_domain_compatible()", " - iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain", "", " * BPF header file in wrong location (LP: #2118965)", " - [Packaging] Install bpf header to correct location", "", " * Internal microphone not working on ASUS VivoBook with Realtek ALC256", " (Ubuntu 24.04 + kernel 6.15) (LP: #2112330)", " - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA", "", " * Documentation update for [Ubuntu25.04] \"virsh attach-interface\" requires", " a reboot to reflect the attached interfaces on the guest (LP: #2111231)", " - powerpc/pseries/dlpar: Search DRC index from ibm, drc-indexes for IO add", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603)", " - tools/x86/kcpuid: Fix error handling", " - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in", " mwait_idle_with_hints() and prefer_mwait_c1_over_halt()", " - crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run()", " - sched: Fix trace_sched_switch(.prev_state)", " - perf/x86/amd/uncore: Remove unused 'struct amd_uncore_ctx::node' member", " - perf/x86/amd/uncore: Prevent UMC counters from saturating", " - gfs2: replace sd_aspace with sd_inode", " - gfs2: gfs2_create_inode error handling fix", " - perf/core: Fix broken throttling when max_samples_per_tick=1", " - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions", " - powerpc: do not build ppc_save_regs.o always", " - powerpc/crash: Fix non-smp kexec preparation", " - sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed", " tasks", " - x86/microcode/AMD: Do not return error when microcode update is not", " necessary", " - crypto: sun8i-ce - undo runtime PM changes during driver removal", " - x86/cpu: Sanitize CPUID(0x80000000) output", " - x86/insn: Fix opcode map (!REX2) superscript tags", " - brd: fix aligned_sector from brd_do_discard()", " - brd: fix discard end sector", " - kselftest: cpufreq: Get rid of double suspend in rtcwake case", " - crypto: marvell/cesa - Avoid empty transfer descriptor", " - erofs: fix file handle encoding for 64-bit NIDs", " - powerpc/pseries/iommu: Fix kmemleak in TCE table userspace view", " - btrfs: scrub: update device stats when an error is detected", " - btrfs: scrub: fix a wrong error type when metadata bytenr mismatches", " - btrfs: fix invalid data space release when truncating block in NOCOW", " mode", " - rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture", " - crypto: lrw - Only add ecb if it is not already there", " - crypto: xts - Only add ecb if it is not already there", " - crypto: sun8i-ce - move fallback ahash_request to the end of the struct", " - kunit: Fix wrong parameter to kunit_deactivate_static_stub()", " - crypto: api - Redo lookup on EEXIST", " - ACPICA: exserial: don't forget to handle FFixedHW opregions for reading", " - ASoC: tas2764: Enable main IRQs", " - EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo", " channel 0", " - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers", " - spi: tegra210-quad: remove redundant error handling code", " - spi: tegra210-quad: modify chip select (CS) deactivation", " - power: reset: at91-reset: Optimize at91_reset()", " - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type", " - ASoC: SOF: amd: add missing acp descriptor field", " - PM: wakeup: Delete space in the end of string shown by", " pm_show_wakelocks()", " - ACPI: resource: fix a typo for MECHREVO in", " irq1_edge_low_force_override[]", " - x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()", " - PM: sleep: Print PM debug messages during hibernation", " - thermal/drivers/mediatek/lvts: Fix debugfs unregister on failure", " - ACPI: OSI: Stop advertising support for \"3.0 _SCP Extensions\"", " - spi: sh-msiof: Fix maximum DMA transfer size", " - ASoC: apple: mca: Constrain channels according to TDM mask", " - ALSA: core: fix up bus match const issues.", " - drm/vmwgfx: Add seqno waiter for sync_files", " - drm/vmwgfx: Add error path for xa_store in vmw_bo_add_detached_resource", " - drm/vmwgfx: Fix dumb buffer leak", " - drm/xe/d3cold: Set power state to D3Cold during s2idle/s3", " - drm/vc4: tests: Use return instead of assert", " - media: rkvdec: Fix frame size enumeration", " - arm64/fpsimd: Avoid RES0 bits in the SME trap handler", " - arm64/fpsimd: Don't corrupt FPMR when streaming mode changes", " - arm64/fpsimd: Reset FPMR upon exec()", " - arm64/fpsimd: Fix merging of FPSIMD state during signal return", " - drm/panthor: Fix GPU_COHERENCY_ACE[_LITE] definitions", " - drm/panthor: Update panthor_mmu::irq::mask when needed", " - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support", " - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe()", " - fs/ntfs3: Add missing direct_IO in ntfs_aops_cmpr", " - kunit/usercopy: Disable u64 test on 32-bit SPARC", " - watchdog: exar: Shorten identity name to fit correctly", " - m68k: mac: Fix macintosh_config for Mac II", " - firmware: psci: Fix refcount leak in psci_dt_init", " - arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX", " - selftests/seccomp: fix syscall_restart test for arm compat", " - drm/msm/dpu: enable SmartDMA on SM8150", " - drm/msm/dpu: enable SmartDMA on SC8180X", " - drm: rcar-du: Fix memory leak in rcar_du_vsps_init()", " - drm/vkms: Adjust vkms_state->active_planes allocation type", " - drm/tegra: rgb: Fix the unbound reference count", " - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES", " - arm64/fpsimd: Do not discard modified SVE state", " - overflow: Fix direct struct member initialization in _DEFINE_FLEX()", " - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops", " - selftests/seccomp: fix negative_ENOSYS tracer tests on arm32", " - drm/msm/a6xx: Disable rgb565_predicator on Adreno 7c3", " - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr", " - drm/mediatek: Fix kobject put for component sub-drivers", " - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err", " - media: verisilicon: Free post processor buffers on error", " - svcrdma: Reduce the number of rdma_rw contexts per-QP", " - xen/x86: fix initial memory balloon target", " - wifi: ath12k: Fix memory leak during vdev_id mismatch", " - wifi: ath12k: Fix invalid memory access while forming 802.11 header", " - IB/cm: use rwlock for MAD agent lock", " - bpf: Check link_create.flags parameter for multi_kprobe", " - selftests/bpf: Fix bpf_nf selftest failure", " - bpf, sockmap: fix duplicated data transmission", " - wifi: ath12k: fix cleanup path after mhi init", " - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc", " - f2fs: clean up unnecessary indentation", " - f2fs: prevent the current section from being selected as a victim during", " GC", " - page_pool: Move pp_magic check into helper functions", " - page_pool: Track DMA-mapped pages and unmap them when destroying the", " pool", " - net: ncsi: Fix GCPS 64-bit member variables", " - libbpf: Fix buffer overflow in bpf_object__init_prog", " - net/mlx5: Avoid using xso.real_dev unnecessarily", " - xfrm: Use xdo.dev instead of xdo.real_dev", " - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT", " - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally", " - wifi: rtw88: do not ignore hardware read error during DPK", " - wifi: ath12k: Add MSDU length validation for TKIP MIC error", " - wifi: ath12k: Fix the QoS control field offset to build QoS header", " - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h", " - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk", " - libbpf: Fix event name too long error", " - libbpf: Remove sample_period init in perf_buffer", " - Use thread-safe function pointer in libbpf_print", " - iommu: Protect against overflow in iommu_pgsize()", " - bonding: assign random address if device address is same as bond", " - f2fs: clean up w/ fscrypt_is_bounce_page()", " - f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()", " - libbpf: Use proper errno value in linker", " - bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps", " - netfilter: bridge: Move specific fragmented packet to slow_path instead", " of dropping it", " - netfilter: nft_quota: match correctly when the quota just depleted", " - bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ", " - tracing: Move histogram trigger variables from stack to per CPU", " structure", " - clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs", " - clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs", " - clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs", " - clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs", " - bpftool: Fix regression of \"bpftool cgroup tree\" EINVAL on older kernels", " - wifi: iwlfiwi: mvm: Fix the rate reporting", " - efi/libstub: Describe missing 'out' parameter in efi_load_initrd", " - selftests/bpf: Fix caps for __xlated/jited_unpriv", " - tracing: Rename event_trigger_alloc() to trigger_data_alloc()", " - tracing: Fix error handling in event_trigger_parse()", " - of: unittest: Unlock on error in unittest_data_add()", " - ktls, sockmap: Fix missing uncharge operation", " - libbpf: Use proper errno value in nlattr", " - dt-bindings: soc: fsl,qman-fqd: Fix reserved-memory.yaml reference", " - clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz", " - s390/bpf: Store backchain even for leaf progs", " - wifi: rtw89: pci: enlarge retry times of RX tag to 1000", " - wifi: rtw89: fix firmware scan delay unit for WiFi 6 chips", " - iommu: remove duplicate selection of DMAR_TABLE", " - wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event", " - hisi_acc_vfio_pci: add eq and aeq interruption restore", " - scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort()", " - Bluetooth: ISO: Fix not using SID from adv report", " - wifi: mt76: mt7925: prevent multiple scan commands", " - wifi: mt76: mt7925: refine the sniffer commnad", " - wifi: mt76: mt7925: ensure all MCU commands wait for response", " - wifi: mt76: mt7996: set EHT max ampdu length capability", " - wifi: mt76: mt7996: fix RX buffer size of MCU event", " - bpf: Revert \"bpf: remove unnecessary rcu_read_{lock,unlock}() in multi-", " uprobe attach logic\"", " - netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft", " only builds", " - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy", " - vfio/type1: Fix error unwind in migration dirty bitmap allocation", " - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()", " - netfilter: nf_tables: nft_fib: consistent l3mdev handling", " - netfilter: nft_tunnel: fix geneve_opt dump", " - RISC-V: KVM: lock the correct mp_state during reset", " - vsock/virtio: fix `rx_bytes` accounting for stream sockets", " - net: lan966x: Fix 1-step timestamping over ipv4 or ipv6", " - net: xilinx: axienet: Fix Tx skb circular buffer occupancy check in", " dmaengine xmit", " - net: phy: fix up const issues in to_mdio_device() and to_phy_device()", " - net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy", " - net: lan743x: Fix PHY reset handling during initialization and WOL", " - octeontx2-pf: QOS: Perform cache sync on send queue teardown", " - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames", " - f2fs: use d_inode(dentry) cleanup dentry->d_inode", " - f2fs: fix to correct check conditions in f2fs_cross_rename", " - arm64: dts: qcom: sm8650: setup gpu thermal with higher temperatures", " - arm64: dts: qcom: sm8650: add missing cpu-cfg interconnect path in the", " mdss node", " - arm64: dts: qcom: x1e80100-romulus: Keep L12B and L15B always on", " - arm64: dts: qcom: sdm845-starqltechn: remove wifi", " - arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake", " - arm64: dts: qcom: sdm845-starqltechn: refactor node order", " - arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios", " - arm64: dts: qcom: sm8350: Reenable crypto & cryptobam", " - arm64: dts: qcom: sm8250: Fix CPU7 opp table", " - arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies", " - arm64: dts: qcom: ipq9574: Fix USB vdd info", " - arm64: dts: rockchip: Move SHMEM memory to reserved memory on rk3588", " - ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select", " - ARM: dts: at91: at91sam9263: fix NAND chip selects", " - arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains", " - arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect", " GPIO", " - arm64: dts: mt8183: Add port node to mt8183.dtsi", " - arm64: dts: imx8mm-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mn-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mp-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI", " audio", " - arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI", " audio", " - arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles", " - arm64: dts: mt6359: Add missing 'compatible' property to regulators node", " - arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply", " - arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning", " - arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3566-rock3c", " - arm64: dts: rockchip: Update eMMC for NanoPi R5 series", " - arm64: tegra: Drop remaining serial clock-names and reset-names", " - arm64: tegra: Add uartd serial alias for Jetson TX1 module", " - arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E", " - soc: qcom: smp2p: Fix fallback to qcom,ipc parse", " - ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery", " - nilfs2: add pointer check for nilfs_direct_propagate()", " - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()", " - dt-bindings: vendor-prefixes: Add Liontron name", " - ARM: dts: qcom: apq8064: add missing clocks to the timer node", " - ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon", " device", " - ARM: dts: qcom: apq8064: move replicator out of soc node", " - arm64: defconfig: mediatek: enable PHY drivers", " - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399", " Puma with Haikou", " - arm64: dts: qcom: qcm2290: fix (some) of QUP interconnects", " - arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups", " - arm64: dts: mt6359: Rename RTC node to match binding expectations", " - ARM: aspeed: Don't select SRAM", " - soc: aspeed: lpc: Fix impossible judgment condition", " - randstruct: gcc-plugin: Remove bogus void member", " - randstruct: gcc-plugin: Fix attribute addition", " - perf build: Warn when libdebuginfod devel files are not available", " - perf ui browser hists: Set actions->thread before calling", " do_zoom_thread()", " - dm: don't change md if dm_table_set_restrictions() fails", " - dm: free table mempools if not used in __bind", " - x86/irq: Ensure initial PIR loads are performed exactly once", " - perf symbol-minimal: Fix double free in filename__read_build_id", " - dm-flakey: error all IOs when num_features is absent", " - dm-flakey: make corrupting read bios work", " - perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids()", " - perf tests: Fix 'perf report' tests installation", " - perf intel-pt: Fix PEBS-via-PT data_src", " - perf scripts python: exported-sql-viewer.py: Fix pattern matching with", " Python 3", " - remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe", " - remoteproc: k3-r5: Drop check performed in", " k3_r5_rproc_{mbox_callback/kick}", " - remoteproc: k3-dsp: Drop check performed in", " k3_dsp_rproc_{mbox_callback/kick}", " - rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()", " - mfd: exynos-lpass: Fix an error handling path in exynos_lpass_probe()", " - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in", " exynos_lpass_remove()", " - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE", " - perf tests switch-tracking: Fix timestamp comparison", " - mailbox: imx: Fix TXDB_V2 sending", " - mailbox: mtk-cmdq: Refine GCE_GCTL_VALUE setting", " - perf symbol: Fix use-after-free in filename__read_build_id", " - perf record: Fix incorrect --user-regs comments", " - perf trace: Always print return value for syscalls returning a pid", " - nfs: clear SB_RDONLY before getting superblock", " - nfs: ignore SB_RDONLY when remounting nfs", " - perf trace: Set errpid to false for rseq and set_robust_list", " - perf callchain: Always populate the addr_location map when adding IP", " - cifs: Fix validation of SMB1 query reparse point response", " - rust: alloc: add missing invariant in Vec::set_len()", " - rtc: sh: assign correct interrupts with DT", " - phy: rockchip: samsung-hdptx: Fix clock ratio setup", " - phy: rockchip: samsung-hdptx: Do no set rk_hdptx_phy->rate in case of", " errors", " - PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus()", " - PCI: rcar-gen4: set ep BAR4 fixed size", " - PCI: cadence: Fix runtime atomic count underflow", " - PCI: apple: Use gpiod_set_value_cansleep in probe flow", " - PCI/DPC: Initialize aer_err_info before using it", " - PCI/DPC: Log Error Source ID only when valid", " - rtc: loongson: Add missing alarm notifications for ACPI RTC events", " - PCI: endpoint: Retain fixed-size BAR size as well as aligned size", " - thunderbolt: Fix a logic error in wake on connect", " - iio: filter: admv8818: fix band 4, state 15", " - iio: filter: admv8818: fix integer overflow", " - iio: filter: admv8818: fix range calculation", " - iio: filter: admv8818: Support frequencies >= 2^32", " - iio: adc: ad7124: Fix 3dB filter frequency reading", " - MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a", " - coresight: Fixes device's owner field for registered using", " coresight_init_driver()", " - coresight: catu: Introduce refcount and spinlock for enabling/disabling", " - counter: interrupt-cnt: Protect enable/disable OPs with mutex", " - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()", " - mei: vsc: Cast tx_buf to (__be32 *) when passed to cpu_to_be32_array()", " - iio: adc: PAC1934: fix typo in documentation link", " - iio: adc: mcp3911: fix device dependent mappings for conversion result", " registers", " - USB: gadget: udc: fix const issue in gadget_match_driver()", " - USB: typec: fix const issue in typec_match()", " - loop: add file_start_write() and file_end_write()", " - drm/xe: Make xe_gt_freq part of the Documentation", " - Fix sock_exceed_buf_limit not being triggered in", " __sk_mem_raise_allocated", " - net: stmmac: platform: guarantee uniqueness of bus_id", " - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt", " - net: tipc: fix refcount warning in tipc_aead_encrypt", " - driver: net: ethernet: mtk_star_emac: fix suspend/resume issue", " - net/mlx4_en: Prevent potential integer overflow calculating Hz", " - net: lan966x: Make sure to insert the vlan tags also in host mode", " - spi: bcm63xx-spi: fix shared reset", " - spi: bcm63xx-hsspi: fix shared reset", " - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION", " - ice: create new Tx scheduler nodes for new queues only", " - ice: fix rebuilding the Tx scheduler tree for large queue counts", " - idpf: fix a race in txq wakeup", " - idpf: avoid mailbox timeout delays during reset", " - net: dsa: tag_brcm: legacy: fix pskb_may_pull length", " - drm/i915/guc: Check if expecting reply before decrementing", " outstanding_submission_g2h", " - drm/i915/psr: Fix using wrong mask in REG_FIELD_PREP", " - drm/i915/guc: Handle race condition where wakeref count drops below 0", " - vmxnet3: correctly report gso type for UDP tunnels", " - selftests: net: build net/lib dependency in all target", " - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices", " - nvme: fix command limits status code", " - drm/panel-simple: fix the warnings for the Evervision VGG644804", " - netfilter: nf_nat: also check reverse tuple to obtain clashing entry", " - net: ti: icssg-prueth: Fix swapped TX stats for MII interfaces.", " - net: dsa: b53: do not enable RGMII delay on bcm63xx", " - net: dsa: b53: allow RGMII for bcm63xx RGMII ports", " - net: dsa: b53: do not touch DLL_IQQD on bcm53115", " - wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements", " - net: wwan: mhi_wwan_mbim: use correct mux_id for multiplexing", " - wireguard: device: enable threaded NAPI", " - scsi: ufs: qcom: Prevent calling phy_exit() before phy_init()", " - ASoC: codecs: hda: Fix RPM usage count underflow", " - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX", " - ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init", " - iov_iter: use iov_offset for length calculation in iov_iter_aligned_bvec", " - path_overmount(): avoid false negatives", " - fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)", " - do_change_type(): refuse to operate on unmounted/not ours mounts", " - tools/power turbostat: Fix AMD package-energy reporting", " - ALSA: hda/realtek: Add support for various HP Laptops using CS35L41 HDA", " - ALSA: hda/realtek - Support mute led function for HP platform", " - ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup", " - ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA", " - Input: synaptics-rmi - fix crash with unsupported versions of F34", " - pmdomain: core: Introduce dev_pm_genpd_rpm_always_on()", " - mmc: sdhci-of-dwcmshc: add PD workaround on RK3576", " - pinctrl: samsung: refactor drvdata suspend & resume callbacks", " - pinctrl: samsung: add dedicated SoC eint suspend/resume callbacks", " - pinctrl: samsung: add gs101 specific eint suspend/resume callbacks", " - Bluetooth: hci_core: fix list_for_each_entry_rcu usage", " - Bluetooth: btintel_pcie: Fix driver not posting maximum rx buffers", " - Bluetooth: btintel_pcie: Increase the tx and rx descriptor count", " - Bluetooth: btintel_pcie: Reduce driver buffer posting to prevent race", " condition", " - Bluetooth: MGMT: Remove unused mgmt_pending_find_data", " - net: dsa: b53: fix untagged traffic sent via cpu tagged with VID 0", " - ath10k: snoc: fix unbalanced IRQ enable in crash recovery", " - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()", " - wifi: ath11k: don't use static variables in", " ath11k_debugfs_fw_stats_process()", " - wifi: ath11k: don't wait when there is no vdev started", " - wifi: ath11k: move some firmware stats related functions outside of", " debugfs", " - wifi: ath11k: validate ath11k_crypto_mode on top of", " ath11k_core_qmi_firmware_ready", " - wifi: ath12k: refactor ath12k_hw_regs structure", " - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt()", " - spi: omap2-mcspi: Disable multi mode when CS should be kept asserted", " after message", " - spi: omap2-mcspi: Disable multi-mode when the previous message kept CS", " asserted", " - pinctrl: qcom: pinctrl-qcm2290: Add missing pins", " - scsi: iscsi: Fix incorrect error path labels for flashnode operations", " - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()", " - drm/meson: fix debug log statement when setting the HDMI clocks", " - drm/meson: use vclk_freq instead of pixel_freq in debug print", " - drm/meson: fix more rounding issues with 59.94Hz modes", " - i40e: return false from i40e_reset_vf if reset is in progress", " - i40e: retry VFLR handling if there is ongoing VF reset", " - macsec: MACsec SCI assignment for ES = 0", " - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance", " - Bluetooth: MGMT: Fix sparse errors", " - net/mlx5: Ensure fw pages are always allocated on same NUMA", " - net/mlx5: Fix return value when searching for existing flow group", " - net/mlx5: HWS, fix missing ip_version handling in definer", " - net/mlx5e: Fix leak of Geneve TLV option object", " - net_sched: tbf: fix a race in tbf_change()", " - fs/filesystems: Fix potential unsigned integer underflow in fs_name()", " - gfs2: pass through holder from the VFS for freeze/thaw", " - btrfs: exit after state split error at set_extent_bit()", " - nvmet-fcloop: access fcpreq only when holding reqlock", " - perf: Ensure bpf_perf_link path is properly serialized", " - block: use q->elevator with ->elevator_lock held in elv_iosched_show()", " - io_uring: consistently use rcu semantics with sqpoll thread", " - bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP", " - block: Fix bvec_set_folio() for very large folios", " - objtool/rust: relax slice condition to cover more `noreturn` Rust", " functions", " - tools/resolve_btfids: Fix build when cross compiling kernel with clang.", " - Revert \"wifi: mwifiex: Fix HT40 bandwidth issue.\"", " - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1", " - usb: usbtmc: Fix read_stb function and get_stb ioctl", " - tty: serial: 8250_omap: fix TX with DMA for am33xx", " - usb: misc: onboard_usb_dev: Fix usb5744 initialization sequence", " - usb: cdnsp: Fix issue with detecting command completion event", " - usb: cdnsp: Fix issue with detecting USB 3.2 speed", " - usb: Flush altsetting 0 endpoints before reinitializating them after", " reset.", " - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()", " - 9p: Add a migrate_folio method", " - ring-buffer: Move cpus_read_lock() outside of buffer->mutex", " - xfs: don't assume perags are initialised when trimming AGs", " - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall", " - x86/fred/signal: Prevent immediate repeat of single step trap on return", " from SIGTRAP handler", " - calipso: unlock rcu before returning -EAFNOSUPPORT", " - regulator: dt-bindings: mt6357: Drop fixed compatible requirement", " - usb: misc: onboard_usb_dev: fix build warning for", " CONFIG_USB_ONBOARD_DEV_USB5744=n", " - net: usb: aqc111: debug info before sanitation", " - overflow: Introduce __DEFINE_FLEX for having no initializer", " - gfs2: Don't clear sb->s_fs_info in gfs2_sys_fs_add", " - thermal/drivers/mediatek/lvts: Remove unused lvts_debugfs_exit", " - pidfs: move O_RDWR into pidfs_alloc_file()", " - ACPICA: Introduce ACPI_NONSTRING", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Apply ACPI_NONSTRING in more places", " - bcachefs: Repair code for directory i_size", " - bcachefs: delete dead code from may_delete_deleted_inode()", " - bcachefs: Run may_delete_deleted_inode() checks in bch2_inode_rm()", " - bcachefs: Fix subvol to missing root repair", " - crypto: ecdsa - Fix enc/dec size reported by KEYCTL_PKEY_QUERY", " - crypto: ecdsa - Fix NIST P521 key size reported by KEYCTL_PKEY_QUERY", " - spinlock: extend guard with spinlock_bh variants", " - crypto: zynqmp-sha - Add locking", " - gfs2: Move gfs2_dinode_dealloc", " - gfs2: Move GIF_ALLOC_FAILED check out of gfs2_ea_dealloc", " - selftests: coredump: Properly initialize pointer", " - selftests: coredump: Fix test failure for slow machines", " - selftests: coredump: Raise timeout to 2 minutes", " - sched/fair: Fixup wake_up_sync() vs DELAYED_DEQUEUE", " - gfs2: Move gfs2_trans_add_databufs", " - gfs2: Don't start unnecessary transactions during log flush", " - platform/chrome: cros_ec_typec: Set Pin Assignment E in DP PORT VDO", " - PM: runtime: Add new devm functions", " - spi: atmel-quadspi: Fix unbalanced pm_runtime by using devm_ API", " - EDAC/bluefield: Don't use bluefield_edac_readl() result on error", " - drm: xlnx: zynqmp_dpsub: fix Kconfig dependencies for ASoC", " - drm/vc4: hdmi: Call HDMI hotplug helper on disconnect", " - drm/panthor: Call panthor_gpu_coherency_init() after PM resume()", " - accel/amdxdna: Fix incorrect size of ERT_START_NPU commands", " - drm/panthor: Fix the panthor_gpu_coherency_init() error path", " - drm/amdgpu: Refine Cleaner Shader MEC firmware version for GFX10.1.x", " GPUs", " - drm/v3d: Associate a V3D tech revision to all supported devices", " - drm/v3d: fix client obtained from axi_ids on V3D 4.1", " - drm/v3d: client ranges from axi_ids are different with V3D 7.1", " - drm/msm/dpu: remove DSC feature bit for PINGPONG on MSM8937", " - drm/msm/dpu: remove DSC feature bit for PINGPONG on MSM8917", " - drm/msm/dpu: remove DSC feature bit for PINGPONG on MSM8953", " - drm/amd/display: Don't check for NULL divisor in fixpt code", " - kselftest/arm64: fp-ptrace: Fix expected FPMR value when PSTATE.SM is", " changed", " - drm/i915/dp_mst: Use the correct connector while computing the link BPP", " limit on MST", " - libbpf: Fix implicit memfd_create() for bionic", " - bpf: Check link_create.flags parameter for multi_uprobe", " - net: phy: mediatek: permit to compile test GE SOC PHY driver", " - wifi: ath12k: Resolve multicast packet drop by populating key_cipher in", " ath12k_install_key()", " - wifi: ath12k: fix SLUB BUG - Object already free in ath12k_reg_free()", " - wifi: ath12k: fix ATH12K_FLAG_REGISTERED flag handling", " - net/mlx5: HWS, Fix matcher action template attach", " - xfrm: provide common xdo_dev_offload_ok callback implementation", " - xfrm: Add explicit dev to .xdo_dev_state_{add,delete,free}", " - bonding: Mark active offloaded xfrm_states", " - bonding: Fix multiple long standing offload races", " - wifi: ath12k: Handle error cases during extended skb allocation", " - wifi: ath12k: Refactor the monitor Rx parser handler argument", " - wifi: ath12k: Add extra TLV tag parsing support in monitor Rx path", " - wifi: ath12k: Avoid fetch Error bitmap and decap format from Rx TLV", " - wifi: ath12k: Replace band define G with GHZ where appropriate", " - wifi: ath12k: change the status update in the monitor Rx", " - wifi: ath12k: add rx_info to capture required field from rx descriptor", " - wifi: ath12k: remove redundant declaration of ath12k_dp_rx_h_find_peer()", " - wifi: ath12k: replace the usage of rx desc with rx_info", " - wifi: ath12k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: iwlwifi: re-add IWL_AMSDU_8K case", " - iommu: ipmmu-vmsa: avoid Wformat-security warning", " - iommu/io-pgtable-arm: dynamically allocate selftest device struct", " - f2fs: zone: fix to calculate first_zoned_segno correctly", " - selftests/bpf: Fix kmem_cache iterator draining", " - iommu/arm-smmu-v3: Fix incorrect return in arm_smmu_attach_dev", " - clk: test: Forward-declare struct of_phandle_args in kunit/clk.h", " - pinctrl: qcom: correct the ngpios entry for QCS615", " - pinctrl: qcom: correct the ngpios entry for QCS8300", " - wifi: ath12k: Reorder and relocate the release of resources in", " ath12k_core_deinit()", " - hisi_acc_vfio_pci: bugfix cache write-back issue", " - hisi_acc_vfio_pci: bugfix the problem of uninstalling driver", " - wifi: mt76: mt7996: avoid null deref in mt7996_stop_phy()", " - Bluetooth: separate CIS_LINK and BIS_LINK link types", " - wifi: mt76: scan: Fix 'mlink' dereferenced before IS_ERR_OR_NULL check", " - wifi: mt76: mt7996: fix beamformee SS field", " - wifi: mt76: mt7996: fix invalid NSS setting when TX path differs from", " NSS", " - wifi: mt76: fix available_antennas setting", " - octeontx2-af: Send Link events one by one", " - f2fs: fix to skip f2fs_balance_fs() if checkpoint is disabled", " - arm64: dts: qcom: sa8775p: Partially revert \"arm64: dts: qcom: sa8775p:", " add QCrypto nodes\"", " - arm64: dts: qcom: qcs8300: Partially revert \"arm64: dts: qcom: qcs8300:", " add QCrypto nodes\"", " - arm64: dts: qcom: sm8550: use ICC tag for all interconnect phandles", " - arm64: dts: qcom: sm8550: add missing cpu-cfg interconnect path in the", " mdss node", " - arm64: dts: qcom: ipq9574: fix the msi interrupt numbers of pcie3", " - arm64: dts: qcom: sm8750: Fix cluster hierarchy for idle states", " - arm64: dts: qcom: sm8750: Correct clocks property for uart14 node", " - arm64: dts: qcom: qcs615: remove disallowed property in spmi bus node", " - arm64: dts: qcom: sm8650: Fix domain-idle-state for CPU2", " - arm64: dts: rockchip: Add missing uart3 interrupt for RK3528", " - arm64: dts: mediatek: mt8188: Fix IOMMU device for rdma0", " - arm64: dts: qcom: x1e001de-devkit: Describe USB retimers resets pin", " configs", " - arm64: dts: qcom: x1e001de-devkit: Fix pin config for USB0 retimer vregs", " - arm64: dts: allwinner: a100: set maximum MMC frequency", " - arm64: dts: renesas: white-hawk-single: Improve Ethernet TSN description", " - arm64: dts: qcom: sm8650: add the missing l2 cache node", " - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399", " Puma", " - dt-bindings: display/msm/dsi-phy: Add header with exposed clock IDs", " - arm64: dts: qcom: msm8998: Use the header with DSI phy clock IDs", " - arm64: dts: qcom: msm8998: Remove mdss_hdmi_phy phandle argument", " - arm64: dts: qcom: qcs615: Fix up UFS clocks", " - ubsan: integer-overflow: depend on BROKEN to keep this out of CI", " - [Config] disable UBSAN_SIGNED_WRAP", " - tools build: Don't set libunwind as available if test-all.c build", " succeeds", " - tools build: Don't show libunwind build status as it is opt-in", " - tools build: Don't show libbfd build status as it is opt-in", " - dm: handle failures in dm_table_set_restrictions", " - HID: intel-thc-hid: intel-quicki2c: pass correct arguments to", " acpi_evaluate_object", " - perf tool_pmu: Fix aggregation on duration_time", " - remoteproc: k3-r5: Refactor sequential core power up/down operations", " - netfs: Fix setting of transferred bytes with short DIO reads", " - netfs: Fix the request's work item to not require a ref", " - netfs: Fix wait/wake to be consistent about the waitqueue used", " - mfd: exynos-lpass: Fix another error handling path in", " exynos_lpass_probe()", " - netfs: Fix undifferentiation of DIO reads from unbuffered reads", " - mailbox: mchp-ipc-sbi: Fix COMPILE_TEST build error", " - perf pmu: Avoid segv for missing name/alias_name in wildcarding", " - s390/uv: Don't return 0 from make_hva_secure() if the operation was not", " successful", " - s390/uv: Always return 0 from s390_wiggle_split_folio() if successful", " - s390/uv: Improve splitting of large folios that cannot be split while", " dirty", " - nfs_localio: use cmpxchg() to install new nfs_file_localio", " - nfs_localio: always hold nfsd net ref with nfsd_file ref", " - nfs_localio: simplify interface to nfsd for getting nfsd_file", " - nfs_localio: duplicate nfs_close_local_fh()", " - nfs_localio: protect race between nfs_uuid_put() and", " nfs_close_local_fh()", " - nfs_localio: change nfsd_file_put_local() to take a pointer to __rcu", " pointer", " - rust: file: mark `LocalFile` as `repr(transparent)`", " - exportfs: require ->fh_to_parent() to encode connectable file handles", " - PCI: pciehp: Ignore Presence Detect Changed caused by DPC", " - PCI: pciehp: Ignore Link Down/Up caused by Secondary Bus Reset", " - PCI: rockchip: Fix order of rockchip_pci_core_rsts", " - PCI: imx6: Save and restore the LUT setting during suspend/resume for", " i.MX95 SoC", " - Revert \"phy: qcom-qusb2: add QUSB2 support for IPQ5424\"", " - phy: qcom-qusb2: reuse the IPQ6018 settings for IPQ5424", " - soundwire: only compute port params in specific stream states", " - rust: pci: fix docs related to missing Markdown code spans", " - coresight: core: Disable helpers for devices that fail to enable", " - iio: dac: adi-axi-dac: fix bus read", " - coresight: tmc: fix failure to disable/enable ETF after reading", " - coresight: etm4x: Fix timestamp bit field handling", " - coresight/etm4: fix missing disable active config", " - staging: gpib: Fix PCMCIA config identifier", " - staging: gpib: Fix secondary address restriction", " - rust: miscdevice: fix typo in MiscDevice::ioctl documentation", " - drm/bridge: analogix_dp: Remove the unnecessary calls to", " clk_disable_unprepare() during probing", " - drm/bridge: analogix_dp: Remove CONFIG_PM related check in", " analogix_dp_bind()/analogix_dp_unbind()", " - drm/bridge: analogix_dp: Add support to get panel from the DP AUX bus", " - drm/bridge: analogix_dp: Fix clk-disable removal", " - drm/xe: Add missing documentation of rpa_freq", " - md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT", " - net: Fix checksum update for ILA adj-transport", " - bpf: Clarify the meaning of BPF_F_PSEUDO_HDR", " - bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE", " - iavf: iavf_suspend(): take RTNL before netdev_lock()", " - iavf: centralize watchdog requeueing itself", " - iavf: simplify watchdog_task in terms of adminq task scheduling", " - iavf: extract iavf_watchdog_step() out of iavf_watchdog_task()", " - iavf: sprinkle netdev_assert_locked() annotations", " - drm/amdgpu/gfx10: Refine Cleaner Shader for GFX10.1.10", " - block: flip iter directions in blk_rq_integrity_map_user()", " - nvme: fix implicit bool to flags conversion", " - net: dsa: b53: implement setting ageing time", " - net: dsa: b53: do not configure bcm63xx's IMP port interface", " - netlink: specs: rt-link: add missing byte-order properties", " - net: annotate data-races around cleanup_net_task", " - drm/xe/vsec: fix CONFIG_INTEL_VSEC dependency", " - drm/xe: Rework eviction rejection of bound external bos", " - ALSA: hda: Allow to fetch hlink by ID", " - ASoC: Intel: avs: PCM operations for LNL-based platforms", " - ASoC: Intel: avs: Fix PPLCxFMT calculation", " - ASoC: Intel: avs: Ignore Vendor-space manipulation for ACE", " - ASoC: Intel: avs: Read HW capabilities when possible", " - ASoC: Intel: avs: Relocate DSP status registers", " - ASoC: Intel: avs: Fix paths in MODULE_FIRMWARE hints", " - fs: convert mount flags to enum", " - finish_automount(): don't leak MNT_LOCKED from parent to child", " - clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the", " right userns", " - genksyms: Fix enum consts from a reference affecting new values", " - accel/amdxdna: Fix incorrect PSP firmware size", " - drm/vc4: fix infinite EPROBE_DEFER loop", " - iavf: fix reset_task for early reset event", " - ice/ptp: fix crosstimestamp reporting", " - net/mlx5: HWS, make sure the uplink is the last destination", " - btrfs: fix fsync of files with no hard links not persisting deletion", " - io_uring: fix spurious drain flushing", " - smb: client: fix perf regression with deferred closes", " - rust: compile libcore with edition 2024 for 1.87+", " - pidfs: never refuse ppid == 0 in PIDFD_GET_INFO", " - powerpc/kernel: Fix ppc_save_regs inclusion in build", " - mm/filemap: gate dropbehind invalidate on folio !dirty && !writeback", " - mm/filemap: use filemap_end_dropbehind() for read invalidation", " - x86/hyperv: Fix APIC ID and VP index confusion in hv_snp_boot_ap()", " - Upstream stable to v6.12.34, v6.15.1, v6.15.2, v6.15.3", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38105", " - ALSA: usb-audio: Kill timer properly at removal", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38114", " - e1000: Move cancel_work_sync to avoid deadlock", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38116", " - wifi: ath12k: fix uaf in ath12k_core_init()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38306", " - fs/fhandle.c: fix a race in call of has_locked_children()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38272", " - net: dsa: b53: do not enable EEE on bcm63xx", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38311", " - iavf: get rid of the crit lock", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38128", " - Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38130", " - drm/connector: only call HDMI audio helper plugged cb if non-null", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38132", " - coresight: holding cscfg_csdev_lock while removing cscfg from csdev", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38137", " - PCI/pwrctrl: Cancel outstanding rescan work when unregistering", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38139", " - netfs: Fix oops in write-retry from mis-resetting the subreq iterator", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38140", " - dm: limit swapping tables for devices with zone write plugs", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38279", " - bpf: Do not include stack ptr register in precision backtracking", " bookkeeping", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38314", " - virtio-pci: Fix result size returned for the admin command completion", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38316", " - wifi: mt76: mt7996: avoid NULL pointer dereference in", " mt7996_set_monitor()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38281", " - wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38284", " - wifi: rtw89: pci: configure manual DAC mode via PCI config API only", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38287", " - IB/cm: Drop lockdep assert and WARN when freeing old msg", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38289", " - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38291", " - wifi: ath12k: Prevent sending WMI commands to firmware during firmware", " crash", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38294", " - wifi: ath12k: fix NULL access in assign channel context handler", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38296", " - ACPI: platform_profile: Avoid initializing on non-ACPI platforms", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38100", " - x86/iopl: Cure TIF_IO_BITMAP inconsistencies", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38101", " - ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38267", " - ring-buffer: Do not trigger WARN_ON() due to a commit_overrun", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38268", " - usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38102", " - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38301", " - nvmem: zynqmp_nvmem: unbreak driver after cleanup", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38352", " - posix-cpu-timers: fix race between handle_posix_cpu_timers() and", " posix_cpu_timer_del()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38103", " - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38302", " - block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38106", " - io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38269", " - btrfs: exit after state insertion failure at btrfs_convert_extent_bit()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38270", " - net: drv: netdevsim: don't napi_complete() from netpoll", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38107", " - net_sched: ets: fix a race in ets_qdisc_change()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38108", " - net_sched: red: fix a race in __red_change()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38109", " - net/mlx5: Fix ECVF vports unload on shutdown flow", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38303", " - Bluetooth: eir: Fix possible crashes on eir_create_adv_data", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38304", " - Bluetooth: Fix NULL pointer deference on eir_get_service_data", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38110", " - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38111", " - net/mdiobus: Fix potential out-of-bounds read/write access", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38112", " - net: Fix TOCTOU issue in sk_is_readable()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38113", " - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38088", " - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38115", " - net_sched: sch_sfq: fix a potential crash on gso_skb handling", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38414", " - wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38305", " - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38117", " - Bluetooth: MGMT: Protect mgmt_pending list with its own lock", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38118", " - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38119", " - scsi: core: ufs: Fix a hang in the error handler", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38307", " - ASoC: Intel: avs: Verify content returned by parse_int_array()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38310", " - seg6: Fix validation of nexthop addresses", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38120", " - netfilter: nf_set_pipapo_avx2: fix initial map fill", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38122", " - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38123", " - net: wwan: t7xx: Fix napi rx poll issue", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38124", " - net: fix udp gso skb_segment after pull from frag_list", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38125", " - net: stmmac: make sure that ptp_rate is not 0 before configuring EST", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38126", " - net: stmmac: make sure that ptp_rate is not 0 before configuring", " timestamping", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38127", " - ice: fix Tx scheduler error handling in XDP callback", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38129", " - page_pool: Fix use-after-free in page_pool_recycle_in_ring", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38131", " - coresight: prevent deactivate active config while enabling the config", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38274", " - fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38134", " - usb: acpi: Prevent null pointer dereference in", " usb_acpi_add_usb4_devlink()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38135", " - serial: Fix potential null-ptr-deref in mlb_usio_probe()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38136", " - usb: renesas_usbhs: Reorder clock handling and power management in probe", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38138", " - dmaengine: ti: Add NULL check in udma_probe()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38275", " - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38141", " - dm: fix dm_blk_report_zones", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38142", " - hwmon: (asus-ec-sensors) check sensor index in read_string()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38277", " - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38143", " - backlight: pm8941: Add NULL check in wled_configure()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38312", " - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38145", " - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38313", " - bus: fsl-mc: fix double-free on mc_dev", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38415", " - Squashfs: check return result of sb_min_blocksize", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38146", " - net: openvswitch: Fix the dead loop of MPLS parse", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38147", " - calipso: Don't call calipso functions for AF_INET sk.", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38278", " - octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38148", " - net: phy: mscc: Fix memory leak when using one step timestamping", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38149", " - net: phy: clear phydev->devlink when the link is deleted", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38280", " - bpf: Avoid __bpf_prog_ret0_warn when jit fails", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38151", " - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38153", " - net: usb: aqc111: fix error handling of usbnet read calls", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38154", " - bpf, sockmap: Avoid using sk_socket after free when sending", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38315", " - Bluetooth: btintel: Check dsbr size from EFI variable", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38155", " - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38156", " - wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38282", " - kernfs: Relax constraint in draining guard", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38157", " - wifi: ath9k_htc: Abort software beacon handling if disabled", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38283", " - hisi_acc_vfio_pci: bugfix live migration function without VF device", " driver", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38158", " - hisi_acc_vfio_pci: fix XQE dma address error", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38159", " - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38285", " - bpf: Fix WARN() in get_bpf_raw_tp_regs", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38286", " - pinctrl: at91: Fix possible out-of-boundary access", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38160", " - clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38161", " - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38162", " - netfilter: nft_set_pipapo: prevent overflow in lookup table allocation", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38288", " - scsi: smartpqi: Fix smp_processor_id() call trace for preemptible", " kernels", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38290", " - wifi: ath12k: fix node corruption in ar->arvifs list", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38292", " - wifi: ath12k: fix invalid access to memory", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38163", " - f2fs: fix to do sanity check on sbi->total_valid_block_count", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38317", " - wifi: ath12k: Fix buffer overflow in debugfs", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38164", " - f2fs: zone: fix to avoid inconsistence in between SIT and SSA", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38165", " - bpf, sockmap: Fix panic when calling skb_linearize", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38166", " - bpf: fix ktls panic with sockmap", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38293", " - wifi: ath11k: fix node corruption in ar->arvifs list", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38295", " - perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in", " meson_ddr_pmu_create()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38167", " - fs/ntfs3: handle hdr_first_de() return value", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38318", " - perf: arm-ni: Fix missing platform_set_drvdata()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38168", " - perf: arm-ni: Unregister PMUs on probe failure", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38169", " - arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38170", " - arm64/fpsimd: Discard stale CPU state when handling SME traps", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38319", " - drm/amd/pp: Fix potential NULL pointer dereference in", " atomctrl_initialize_mc_reg_table", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38297", " - PM: EM: Fix potential division-by-zero error in em_compute_costs()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38298", " - EDAC/skx_common: Fix general protection fault", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38299", " - ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38172", " - erofs: avoid using multiple devices with different type", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38173", " - crypto: marvell/cesa - Handle zero-length skcipher requests", "", " * Plucky update: upstream stable patchset 2025-08-06 (LP: #2119603) //", " CVE-2025-38300", " - crypto: sun8i-ce-cipher - fix error handling in", " sun8i_ce_cipher_prepare()", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039)", " - tracing: Fix compilation warning on arm32", " - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31", " - pinctrl: armada-37xx: set GPIO output value before setting direction", " - clk: samsung: correct clock summary for hsi1 block", " - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()", " - Documentation: ACPI: Use all-string data node references", " - rtc: Make rtc_time64_to_tm() support dates before 1970", " - rtc: Fix offset calculation for .start_secs < 0", " - orangefs: adjust counting code to recover from 665575cf", " - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE", " - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device", " - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB", " - usb: typec: ucsi: fix Clang -Wsign-conversion warning", " - Bluetooth: hci_qca: move the SoC type check to the right place", " - nvmem: rmem: select CONFIG_CRC32", " - usb: usbtmc: Fix timeout value in get_stb", " - dt-bindings: pwm: adi,axi-pwmgen: Fix clocks", " - dt-bindings: usb: cypress,hx3: Add support for all variants", " - dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt", " property", " - Linux 6.14.11", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039) //", " CVE-2025-38174", " - thunderbolt: Do not double dequeue a configuration request", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039) //", " CVE-2025-38175", " - binder: fix yet another UAF in binder_devices", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039) //", " CVE-2025-38176", " - binder: fix use-after-free in binderfs_evict_inode()", "", " * Plucky update: v6.14.11 upstream stable release (LP: #2119039) //", " CVE-2025-38265", " - serial: jsm: fix NPE during jsm_uart_port_init", "", " * Plucky update: v6.14.10 upstream stable release (LP: #2119010)", " - can: kvaser_pciefd: Force IRQ edge in case of nested IRQ", " - arm64: dts: socfpga: agilex5: fix gpio0 address", " - arm64: dts: rockchip: fix internal USB hub instability on RK3399 Puma", " - arm64: dts: qcom: ipq9574: Add missing properties for cryptobam", " - arm64: dts: qcom: sa8775p: Add missing properties for cryptobam", " - arm64: dts: qcom: sa8775p: Remove extra entries from the iommus property", " - arm64: dts: qcom: sa8775p: Remove cdsp compute-cb@10", " - arm64: dts: qcom: sm8350: Fix typo in pil_camera_mem node", " - arm64: dts: qcom: sm8450: Add missing properties for cryptobam", " - arm64: dts: qcom: sm8550: Add missing properties for cryptobam", " - arm64: dts: qcom: sm8650: Add missing properties for cryptobam", " - arm64: dts: qcom: x1e001de-devkit: Fix vreg_l2j_1p2 voltage", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e001de-devkit: mark l12b and", " l15b always-on\"", " - arm64: dts: qcom: x1e001de-devkit: mark l12b and l15b always-on", " - arm64: dts: qcom: x1e80100-asus-vivobook-s15: Fix vreg_l2j_1p2 voltage", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: mark", " l12b and l15b always-on\"", " - arm64: dts: qcom: x1e80100-dell-xps13-9345: mark l12b and l15b always-on", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-hp-omnibook-x14:", " Enable SMB2360 0 and 1\"", " - arm64: dts: qcom: x1e80100-hp-omnibook-x14: Enable SMB2360 0 and 1", " - arm64: dts: qcom: x1e80100-hp-omnibook-x14: Fix vreg_l2j_1p2 voltage", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-hp-x14: mark l12b and", " l15b always-on\"", " - arm64: dts: qcom: x1e80100-hp-x14: mark l12b and l15b always-on", " - arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: Fix vreg_l2j_1p2 voltage", " - arm64: dts: qcom: x1e80100-qcp: Fix vreg_l2j_1p2 voltage", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-qcp: mark l12b and", " l15b always-on\"", " - arm64: dts: qcom: x1e80100-qcp: mark l12b and l15b always-on", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-yoga-slim7x: mark l12b", " and l15b always-on\"", " - arm64: dts: qcom: x1e80100-yoga-slim7x: mark l12b and l15b always-on", " - arm64: dts: qcom: x1e80100: Fix PCIe 3rd controller DBI size", " - arm64: dts: ti: k3-am62-main: Set eMMC clock parent to default", " - arm64: dts: ti: k3-am62a-main: Set eMMC clock parent to default", " - arm64: dts: ti: k3-am62p-j722s-common-main: Set eMMC clock parent to", " default", " - arm64: dts: ti: k3-am62x: Remove clock-names property from IMX219", " overlay", " - arm64: dts: ti: k3-am62x: Rename I2C switch to I2C mux in IMX219 overlay", " - arm64: dts: ti: k3-am62x: Rename I2C switch to I2C mux in OV5640 overlay", " - arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0", " - arm64: dts: ti: k3-am68-sk: Fix regulator hierarchy", " - arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators", " - arm64: dts: ti: k3-j721e-sk: Remove clock-names property from IMX219", " overlay", " - arm64: dts: ti: k3-j721e-sk: Add requiried voltage supplies for IMX219", " - arm64: dts: ti: k3-j722s-evm: Enable \"serdes_wiz0\" and \"serdes_wiz1\"", " - arm64: dts: ti: k3-j722s-main: Disable \"serdes_wiz0\" and \"serdes_wiz1\"", " - arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix length of", " serdes_ln_ctrl", " - perf/arm-cmn: Fix REQ2/SNP2 mixup", " - perf/arm-cmn: Initialise cmn->cpu earlier", " - perf/arm-cmn: Add CMN S3 ACPI binding", " - iommu: Handle yet another race around registration", " - coredump: fix error handling for replace_fd()", " - coredump: hand a pidfd to the usermode coredump helper", " - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open", " - HID: amd_sfh: Avoid clearing reports for SRA sensor", " - HID: quirks: Add ADATA XPG alpha wireless mouse support", " - nfs: don't share pNFS DS connections between net namespaces", " - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS", " - kbuild: Require pahole v1.29 with GENDWARFKSYMS on X86", " - SAUCE: Revert \"kbuild: Require pahole v1.29 with", " GENDWARFKSYMS on X86\"", " - um: let 'make clean' properly clean underlying SUBARCH as well", " - nvmet: pci-epf: cleanup nvmet_pci_epf_raise_irq()", " - drm/amd/display: fix link_set_dpms_off multi-display MST corner case", " - nvme: multipath: enable BLK_FEAT_ATOMIC_WRITES for multipathing", " - phy: starfive: jh7110-usb: Fix USB 2.0 host occasional detection failure", " - phy: phy-rockchip-samsung-hdptx: Fix PHY PLL output 50.25MHz error", " - spi: spi-sun4i: fix early activation", " - nvme: all namespaces in a subsystem must adhere to a common atomic write", " size", " - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro", " - drm/xe/xe2hpg: Add Wa_22021007897", " - drm/xe: Save the gt pointer in lrc and drop the tile", " - char: tpm: tpm-buf: Add sanity check fallback in read helpers", " - NFS: Avoid flushing data while holding directory locks in nfs_rename()", " - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys", " - ALSA: hda/realtek - restore auto-mute mode for Dell Chrome platform", " - platform/x86: thinkpad_acpi: Ignore battery threshold change event", " notification", " - net: ethernet: ti: am65-cpsw: Lower random mac address error print to", " info", " - Linux 6.14.10", "", " * Plucky update: v6.14.10 upstream stable release (LP: #2119010) //", " CVE-2025-38092", " - ksmbd: use list_first_entry_or_null for opinfo_get_list()", "", " * Plucky update: v6.14.10 upstream stable release (LP: #2119010) //", " CVE-2025-38091", " - drm/amd/display: check stream id dml21 wrapper to get plane_id", "", " * Plucky update: v6.14.10 upstream stable release (LP: #2119010) //", " CVE-2025-38082", " - gpio: virtuser: fix potential out-of-bound write", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678)", " - drm/amd/display: Do not enable replay when vtotal update is pending.", " - drm/amd/display: Correct timing_adjust_pending flag setting.", " - drm/amd/display: Defer BW-optimization-blocked DRR adjustments", " - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe", " - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver", " data", " - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off", " - nvmet: pci-epf: Keep completion queues mapped", " - nvmet: pci-epf: clear completion queue IRQ flag on delete", " - cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist", " - nvmem: rockchip-otp: Move read-offset into variant-data", " - nvmem: rockchip-otp: add rk3576 variant data", " - nvmem: core: fix bit offsets of more than one byte", " - nvmem: core: verify cell's raw_len", " - nvmem: core: update raw_len if the bit reading is required", " - nvmem: qfprom: switch to 4-byte aligned reads", " - scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices", " - dma/mapping.c: dev_dbg support for dma_addressing_limited", " - intel_th: avoid using deprecated page->mapping, index fields", " - mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf and rx_buf type", " - dma-mapping: avoid potential unused data compilation warning", " - btrfs: tree-checker: adjust error code for header level check", " - cgroup: Fix compilation issue due to cgroup_mutex not being exported", " - vhost_task: fix vhost_task_create() documentation", " - scsi: mpi3mr: Add level check to control event logging", " - dma-mapping: Fix warning reported for missing prototype", " - ima: process_measurement() needlessly takes inode_lock() on MAY_READ", " - fs/buffer: split locking for pagecache lookups", " - fs/buffer: introduce sleeping flavors for pagecache lookups", " - fs/buffer: use sleeping version of __find_get_block()", " - fs/ocfs2: use sleeping version of __find_get_block()", " - fs/jbd2: use sleeping version of __find_get_block()", " - fs/ext4: use sleeping version of sb_find_get_block()", " - drm/amd/display: Enable urgent latency adjustment on DCN35", " - drm/amdgpu: Allow P2P access through XGMI", " - selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure", " - block: hoist block size validation code to a separate function", " - io_uring: don't duplicate flushing in io_req_post_cqe", " - bpf: fix possible endless loop in BPF map iteration", " - samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora", " - kconfig: merge_config: use an empty file as initfile", " - s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel", " log", " - cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES", " - cifs: Fix querying and creating MF symlinks over SMB1", " - cifs: Fix access_flags_to_smbopen_mode", " - cifs: Fix negotiate retry functionality", " - smb: client: Store original IO parameters and prevent zero IO sizes", " - fuse: Return EPERM rather than ENOSYS from link()", " - exfat: call bh_read in get_block only when necessary", " - io_uring/msg: initialise msg request opcode", " - NFSv4: Check for delegation validity in", " nfs_start_delegation_return_locked()", " - NFS: Don't allow waiting for exiting tasks", " - SUNRPC: Don't allow waiting for exiting tasks", " - arm64: Add support for HIP09 Spectre-BHB mitigation", " - iommufd: Extend IOMMU_GET_HW_INFO to report PASID capability", " - ring-buffer: Use kaslr address instead of text delta", " - tracing: Mark binary printing functions with __printf() attribute", " - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list", " - tpm: Convert warn to dbg in tpm2_start_auth_session()", " - mailbox: pcc: Use acpi_os_ioremap() instead of ioremap()", " - mailbox: use error ret code of of_parse_phandle_with_args()", " - riscv: Allow NOMMU kernels to access all of RAM", " - fbdev: fsl-diu-fb: add missing device_remove_file()", " - fbcon: Use correct erase colour for clearing in fbcon", " - fbdev: core: tileblit: Implement missing margin clearing for tileblit", " - cifs: Set default Netbios RFC1001 server name to hostname in UNC", " - cifs: add validation check for the fields in smb_aces", " - cifs: Fix establishing NetBIOS session for SMB2+ connection", " - cifs: Fix getting DACL-only xattr system.cifs_acl and system.smb3_acl", " - cifs: Check if server supports reparse points before using them", " - NFSv4: Treat ENETUNREACH errors as fatal for state recovery", " - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting", " - SUNRPC: rpcbind should never reset the port to the value '0'", " - ASoC: codecs: wsa884x: Correct VI sense channel mask", " - ASoC: codecs: wsa883x: Correct VI sense channel mask", " - mctp: Fix incorrect tx flow invalidation condition in mctp-i2c", " - net: tn40xx: add pci-id of the aqr105-based Tehuti TN4010 cards", " - net: tn40xx: create swnode for mdio and aqr105 phy and add to mdiobus", " - thermal/drivers/mediatek/lvts: Start sensor interrupts disabled", " - thermal/drivers/qoriq: Power down TMU on system suspend", " - Bluetooth: btmtksdio: Prevent enabling interrupts after IRQ handler", " removal", " - Bluetooth: Disable SCO support if READ_VOICE_SETTING is", " unsupported/broken", " - RISC-V: add vector extension validation checks", " - dql: Fix dql->limit value when reset.", " - lockdep: Fix wait context check on softirq for PREEMPT_RT", " - objtool: Properly disable uaccess validation", " - net/mlx5e: Use right API to free bitmap memory", " - PCI: dwc: ep: Ensure proper iteration over outbound map windows", " - r8169: disable RTL8126 ZRX-DC timeout", " - tools/build: Don't pass test log files to linker", " - PCI: xilinx-cpm: Add cpm_csr register mapping for CPM5_HOST1 variant", " - i2c: qcom-geni: Update i2c frequency table to match hardware guidance", " - pNFS/flexfiles: Report ENETDOWN as a connection error", " - drm/amdgpu/discovery: check ip_discovery fw file available", " - drm/amdgpu: rework how the cleaner shader is emitted v3", " - drm/amdgpu: rework how isolation is enforced v2", " - drm/amdgpu: use GFP_NOWAIT for memory allocations", " - drm/amdkfd: set precise mem ops caps to disabled for gfx 11 and 12", " - PCI: vmd: Disable MSI remapping bypass under Xen", " - xen/pci: Do not register devices with segments >= 0x10000", " - ext4: on a remount, only log the ro or r/w state when it has changed", " - pidfs: improve multi-threaded exec and premature thread-group leader", " exit polling", " - staging: vchiq_arm: Create keep-alive thread during probe", " - mmc: host: Wait for Vdd to settle on card power off", " - drm/amdgpu: Skip pcie_replay_count sysfs creation for VF", " - cgroup/rstat: avoid disabling irqs for O(num_cpu)", " - wifi: mt76: Check link_conf pointer in mt76_connac_mcu_sta_basic_tlv()", " - wifi: mt76: scan: fix setting tx_info fields", " - wifi: mt76: mt7996: implement driver specific get_txpower function", " - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2", " - wifi: mt76: mt7996: use the correct vif link for scanning/roc", " - wifi: mt76: scan: set vif offchannel link for scanning/roc", " - wifi: mt76: mt7996: fix SER reset trigger on WED reset", " - wifi: mt76: mt7996: revise TXS size", " - wifi: mt76: mt7925: load the appropriate CLC data based on hardware type", " - wifi: mt76: mt7925: Simplify HIF suspend handling to avoid suspend fail", " - wifi: mt76: mt7925: fix fails to enter low power mode in suspend state", " - x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in non-UAPI headers", " - x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers", " - x86/stackprotector/64: Only export __ref_stack_chk_guard on CONFIG_SMP", " - x86/smpboot: Fix INIT delay assignment for extended Intel Families", " - x86/microcode: Update the Intel processor flag scan check", " - x86/amd_node: Add SMN offsets to exclusive region access", " - i2c: qup: Vote for interconnect bandwidth to DRAM", " - i2c: amd-asf: Set cmd variable when encountering an error", " - i2c: pxa: fix call balance of i2c->clk handling routines", " - btrfs: make btrfs_discard_workfn() block_group ref explicit", " - btrfs: avoid linker error in btrfs_find_create_tree_block()", " - btrfs: run btrfs_error_commit_super() early", " - btrfs: fix non-empty delayed iputs list on unmount due to async workers", " - btrfs: get zone unusable bytes while holding lock at", " btrfs_reclaim_bgs_work()", " - btrfs: send: return -ENAMETOOLONG when attempting a path that is too", " long", " - blk-cgroup: improve policy registration error handling", " - drm/amdgpu: release xcp_mgr on exit", " - drm/amd/display: Guard against setting dispclk low for dcn31x", " - drm/amdgpu: don't free conflicting apertures for non-display devices", " - drm/amdgpu: adjust drm_firmware_drivers_only() handling", " - i3c: master: svc: Fix missing STOP for master request", " - s390/tlb: Use mm_has_pgste() instead of mm_alloc_pgste()", " - dlm: make tcp still work in multi-link env", " - loop: move vfs_fsync() out of loop_update_dio()", " - clocksource/drivers/timer-riscv: Stop stimecmp when cpu hotplug", " - um: Store full CSGSFS and SS register from mcontext", " - um: Update min_low_pfn to match changes in uml_reserved", " - net/mlx5: Preserve rate settings when creating a rate node", " - wifi: mwifiex: Fix HT40 bandwidth issue.", " - bnxt_en: Query FW parameters when the CAPS_CHANGE bit is set", " - ixgbe: add support for thermal sensor event reception", " - riscv: Call secondary mmu notifier when flushing the tlb", " - ext4: reorder capability check last", " - hypfs_create_cpu_files(): add missing check for hypfs_mkdir() failure", " - scsi: st: Tighten the page format heuristics with MODE SELECT", " - scsi: st: ERASE does not change tape location", " - vfio/pci: Handle INTx IRQ_NOTCONNECTED", " - bpftool: Using the right format specifiers", " - bpf: Return prog btf_id without capable check", " - PCI: dwc: Use resource start as ioremap() input in", " dw_pcie_pme_turn_off()", " - jbd2: do not try to recover wiped journal", " - tcp: reorganize tcp_in_ack_event() and tcp_count_delivered()", " - rtc: rv3032: fix EERD location", " - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for", " retimer", " - erofs: initialize decompression early", " - spi: spi-mux: Fix coverity issue, unchecked return value", " - ASoC: pcm6240: Drop bogus code handling IRQ as GPIO", " - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect", " - kunit: tool: Fix bug in parsing test plan", " - bpf: Allow pre-ordering for bpf cgroup progs", " - kbuild: fix argument parsing in scripts/config", " - kconfig: do not clear SYMBOL_VALID when reading include/config/auto.conf", " - crypto: octeontx2 - suppress auth failure screaming due to negative", " tests", " - dm: restrict dm device size to 2^63-512 bytes", " - net/smc: use the correct ndev to find pnetid by pnetid table", " - xen: Add support for XenServer 6.1 platform device", " - pinctrl-tegra: Restore SFSEL bit when freeing pins", " - mfd: syscon: Add check for invalid resource size", " - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check", " - drm/amdgpu/gfx12: don't read registers in mqd init", " - drm/amdgpu/gfx11: don't read registers in mqd init", " - drm/amdgpu: Update SRIOV video codec caps", " - ASoC: sun4i-codec: support hp-det-gpios property", " - ASoC: sun4i-codec: correct dapm widgets and controls for h616", " - clk: qcom: lpassaudiocc-sc7280: Add support for LPASS resets for QCM6490", " - leds: Kconfig: leds-st1202: Add select for required LEDS_TRIGGER_PATTERN", " - leds: leds-st1202: Initialize hardware before DT node child operations", " - ext4: reject the 'data_err=abort' option in nojournal mode", " - ext4: do not convert the unwritten extents if data writeback fails", " - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject()", " - posix-timers: Add cond_resched() to posix_timer_add() search loop", " - posix-timers: Ensure that timer initialization is fully visible", " - net: stmmac: dwmac-rk: Validate GRF and peripheral GRF during probe", " - net: hsr: Fix PRP duplicate detection", " - timer_list: Don't use %pK through printk()", " - wifi: rtw89: coex: Fix coexistence report not show as expected", " - wifi: rtw89: set force HE TB mode when connecting to 11ax AP", " - netfilter: conntrack: Bound nf_conntrack sysctl writes", " - PNP: Expand length of fixup id string", " - phy: rockchip: usbdp: Only verify link rates/lanes/voltage when the", " corresponding set flags are set", " - arm64/mm: Check pmd_table() in pmd_trans_huge()", " - arm64/mm: Check PUD_TYPE_TABLE in pud_bad()", " - mmc: dw_mmc: add exynos7870 DW MMC support", " - mmc: sdhci: Disable SD card clock before changing parameters", " - usb: xhci: Don't change the status of stalled TDs on failed Stop EP", " - wifi: iwlwifi: mvm: fix setting the TK when associated", " - hwmon: (dell-smm) Increment the number of fans", " - iommu: Keep dev->iommu state consistent", " - printk: Check CON_SUSPEND when unblanking a console", " - wifi: iwlwifi: don't warn when if there is a FW error", " - wifi: iwlwifi: w/a FW SMPS mode selection", " - wifi: iwlwifi: mark Br device not integrated", " - wifi: iwlwifi: fix the ECKV UEFI variable name", " - wifi: mac80211: don't include MLE in ML reconf per-STA profile", " - wifi: cfg80211: Update the link address when a link is added", " - wifi: mac80211: fix warning on disconnect during failed ML reconf", " - wifi: mac80211_hwsim: Fix MLD address translation", " - wifi: mac80211: fix U-APSD check in ML reconfiguration", " - wifi: cfg80211: allow IR in 20 MHz configurations", " - r8169: increase max jumbo packet size on RTL8125/RTL8126", " - ipv6: save dontfrag in cork", " - drm/amd/display: remove minimum Dispclk and apply oem panel timing.", " - drm/amd/display: calculate the remain segments for all pipes", " - drm/amd/display: not abort link train when bw is low", " - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch", " - gfs2: Check for empty queue in run_queue", " - auxdisplay: charlcd: Partially revert \"Move hwidth and bwidth to struct", " hd44780_common\"", " - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup()", " - badblocks: Fix a nonsense WARN_ON() which checks whether a u64 variable", " < 0", " - block: acquire q->limits_lock while reading sysfs attributes", " - coresight-etb10: change etb_drvdata spinlock's type to raw_spinlock_t", " - coresight: change coresight_trace_id_map's lock type to raw_spinlock_t", " - iommu/vt-d: Check if SVA is supported when attaching the SVA domain", " - iommu/amd/pgtbl_v2: Improve error handling", " - fs/pipe: Limit the slots in pipe_resize_ring()", " - cpufreq: tegra186: Share policy per cluster", " - watchdog: s3c2410_wdt: Fix PMU register bits for ExynosAutoV920 SoC", " - watchdog: aspeed: Update bootstatus handling", " - misc: pci_endpoint_test: Give disabled BARs a distinct error code", " - selftests: pci_endpoint: Skip disabled BARs", " - crypto: mxs-dcp - Only set OTP_KEY bit for OTP key", " - drm/amdkfd: Set per-process flags only once for gfx9/10/11/12", " - drm/amdkfd: Set per-process flags only once cik/vi", " - drm/amdkfd: clear F8_MODE for gfx950", " - drm/amdgpu: increase RAS bad page threshold", " - drm/amdgpu: Fix missing drain retry fault the last entry", " - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator", " - arm64: tegra: Resize aperture for the IGX PCIe C5 slot", " - powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7", " - ALSA: seq: Improve data consistency at polling", " - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc()", " - rtc: ds1307: stop disabling alarms on probe", " - ieee802154: ca8210: Use proper setters and getters for bitwise types", " - drm/xe: Nuke VM's mapping upon close", " - drm/xe: Retry BO allocation", " - soc: samsung: include linux/array_size.h where needed", " - ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114", " - media: c8sectpfe: Call of_node_put(i2c_bus) only once in", " c8sectpfe_probe()", " - media: cec: use us_to_ktime() where appropriate", " - usb: xhci: set page size to the xHCI-supported size", " - soc: mediatek: mtk-mutex: Add DPI1 SOF/EOF to MT8188 mutex tables", " - drm/gem: Test for imported GEM buffers with helper", " - net: phylink: use pl->link_interface in phylink_expects_phy()", " - blk-throttle: don't take carryover for prioritized processing of", " metadata", " - remoteproc: qcom_wcnss: Handle platforms with only single power domain", " - drm/xe: Disambiguate GMDID-based IP names", " - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c", " - drm/amdgpu: Reinit FW shared flags on VCN v5.0.1", " - drm/amd/display: Ensure DMCUB idle before reset on DCN31/DCN35", " - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination", " - drm/amd/display: Fix DMUB reset sequence for DCN401", " - drm/amd/display: Fix p-state type when p-state is unsupported", " - drm/amd/display: Request HW cursor on DCN3.2 with SubVP", " - drm/amdgpu: Avoid HDP flush on JPEG v5.0.1", " - drm/amdgpu: Add offset normalization in VCN v5.0.1", " - perf/core: Clean up perf_try_init_event()", " - pinctrl: bcm281xx: Use \"unsigned int\" instead of bare \"unsigned\"", " - rcu: Fix get_state_synchronize_rcu_full() GP-start detection", " - drm/msm/dpu: Set possible clones for all encoders", " - net: ethernet: ti: cpsw_new: populate netdev of_node", " - eth: fbnic: Prepend TSENE FW fields with FBNIC_FW", " - net: phy: nxp-c45-tja11xx: add match_phy_device to TJA1103/TJA1104", " - dpll: Add an assertion to check freq_supported_num", " - ublk: enforce ublks_max only for unprivileged devices", " - iommufd: Disallow allocating nested parent domain with fault ID", " - media: imx335: Set vblank immediately", " - net: pktgen: fix mpls maximum labels list parsing", " - perf/core: Fix perf_mmap() failure path", " - perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint type", " - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7", " - scsi: logging: Fix scsi_logging_level bounds", " - ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config().", " - ipv4: fib: Hold rtnl_net_lock() in ip_rt_ioctl().", " - drm/rockchip: vop2: Add uv swap for cluster window", " - block: mark bounce buffering as incompatible with integrity", " - null_blk: generate null_blk configfs features string", " - ublk: complete command synchronously on error", " - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map", " - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value", " - clk: imx8mp: inform CCF of maximum frequency of clocks", " - PM: sleep: Suppress sleeping parent warning in special case", " - x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2", " - hwmon: (acpi_power_meter) Fix the fake power alarm reporting", " - hwmon: (gpio-fan) Add missing mutex locks", " - ARM: at91: pm: fix at91_suspend_finish for ZQ calibration", " - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence", " - fpga: altera-cvp: Increase credit timeout", " - perf: arm_pmuv3: Call kvm_vcpu_pmu_resync_el0() before enabling counters", " - soc: apple: rtkit: Use high prio work queue", " - soc: apple: rtkit: Implement OSLog buffers properly", " - wifi: ath12k: Report proper tx completion status to mac80211", " - PCI: brcmstb: Expand inbound window size up to 64GB", " - PCI: brcmstb: Add a softdep to MIP MSI-X driver", " - drm/xe/vf: Retry sending MMIO request to GUC on timeout error", " - drm/xe/pf: Create a link between PF and VF devices", " - net/mlx5: Avoid report two health errors on same syndrome", " - selftests/net: have `gro.sh -t` return a correct exit code", " - driver core: faux: only create the device if probe() succeeds", " - pinctrl: sophgo: avoid to modify untouched bit when setting cv1800", " pinconf", " - drm/amdkfd: KFD release_work possible circular locking", " - drm/xe: xe_gen_wa_oob: replace program_invocation_short_name", " - leds: pwm-multicolor: Add check for fwnode_property_read_u32", " - accel/amdxdna: Check interrupt register before mailbox_rx_worker exits", " - net: ethernet: mtk_ppe_offload: Allow QinQ, double ETH_P_8021Q only", " - net: xgene-v2: remove incorrect ACPI_PTR annotation", " - wifi: rtw89: Parse channel from IE to correct invalid hardware reports", " during scanning", " - bonding: report duplicate MAC address in all situations", " - tcp: be less liberal in TSEcr received while in SYN_RECV state", " - pinctrl: qcom: msm8917: Add MSM8937 wsa_reset pin", " - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band", " - soc: ti: k3-socinfo: Do not use syscon helper to build regmap", " - bpf: Search and add kfuncs in struct_ops prologue and epilogue", " - Octeontx2-af: RPM: Register driver with PCI subsys IDs", " - x86/build: Fix broken copy command in genimage.sh when making isoimage", " - drm/amd/display: handle max_downscale_src_width fail check", " - drm/amd/display: fix dcn4x init failed", " - drm/amd/display: fix check for identity ratio", " - drm/amd/display: Fix mismatch type comparison", " - drm/amd/display: Add opp recout adjustment", " - drm/amd/display: Fix mismatch type comparison in custom_float", " - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile", " - ASoC: mediatek: mt8188: Add reference for dmic clocks", " - x86/nmi: Add an emergency handler in nmi_desc & use it in", " nmi_shootdown_cpus()", " - vhost-scsi: Return queue full for page alloc failures during copy", " - vdpa/mlx5: Fix mlx5_vdpa_get_config() endianness on big-endian machines", " - cpuidle: menu: Avoid discarding useful information", " - media: adv7180: Disable test-pattern control on adv7180", " - media: tc358746: improve calculation of the D-PHY timing registers", " - net/mlx5e: Add correct match to check IPSec syndromes for switchdev mode", " - scsi: mpi3mr: Update timestamp only for supervisor IOCs", " - loop: check in LO_FLAGS_DIRECT_IO in loop_default_blocksize", " - net: stmmac: Correct usage of maximum queue number macros", " - libbpf: Fix out-of-bound read", " - gpiolib: sanitize the return value of gpio_chip::set_config()", " - scsi: scsi_debug: First fixes for tapes", " - bpf: arm64: Silence \"UBSAN: negation-overflow\" warning", " - net/mlx5: Change POOL_NEXT_SIZE define value and make it global", " - x86/kaslr: Reduce KASLR entropy on most x86 systems", " - crypto: ahash - Set default reqsize from ahash_alg", " - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher", " - net: ipv6: Init tunnel link-netns before registering dev", " - rtnetlink: Lookup device in target netns when creating link", " - drm/xe/oa: Ensure that polled read returns latest data", " - MIPS: Use arch specific syscall name match function", " - drm/amdgpu: remove all KFD fences from the BO on release", " - x86/mm: Make MMU_GATHER_RCU_TABLE_FREE unconditional", " - x86/locking: Use ALT_OUTPUT_SP() for percpu_{,try_}cmpxchg{64,128}_op()", " - pps: generators: replace copy of pps-gen info struct with const pointer", " - MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core", " - clocksource: mips-gic-timer: Enable counter when CPUs start", " - PCI: epf-mhi: Update device ID for SA8775P", " - scsi: mpt3sas: Send a diag reset if target reset fails", " - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU", " - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU", " - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31", " - wifi: rtw88: Fix rtw_mac_power_switch() for RTL8814AU", " - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx()", " - wifi: rtw89: fw: get sb_sel_ver via get_unaligned_le32()", " - wifi: rtw89: fw: add blacklist to avoid obsolete secure firmware", " - wifi: rtw89: 8922a: fix incorrect STA-ID in EHT MU PPDU", " - power: supply: axp20x_battery: Update temp sensor for AXP717 from device", " tree", " - EDAC/ie31200: work around false positive build warning", " - i3c: master: svc: Flush FIFO before sending Dynamic Address", " Assignment(DAA)", " - netdevsim: call napi_schedule from a timer context", " - mfd: axp20x: AXP717: Add AXP717_TS_PIN_CFG to writeable regs", " - eeprom: ee1004: Check chip before probing", " - irqchip/riscv-imsic: Separate next and previous pointers in IMSIC vector", " - drm/xe/client: Skip show_run_ticks if unable to read timestamp", " - drm/amd/pm: Fetch current power limit from PMFW", " - drm/amd/display: Add support for disconnected eDP streams", " - drm/amd/display: Guard against setting dispclk low when active", " - drm/amd/display: Fix BT2020 YCbCr limited/full range input", " - drm/amd/display: Read LTTPR ALPM caps during link cap retrieval", " - Revert \"drm/amd/display: Request HW cursor on DCN3.2 with SubVP\"", " - drm/amd/display: Don't treat wb connector as physical in", " create_validate_stream_for_sink", " - RDMA/core: Fix best page size finding when it can cross SG entries", " - pmdomain: imx: gpcv2: use proper helper for property detection", " - can: c_can: Use of_property_present() to test existence of DT property", " - bpf: don't do clean_live_states when state->loop_entry->branches > 0", " - eth: mlx4: don't try to complete XDP frames in netpoll", " - PCI: Fix old_size lower bound in calculate_iosize() too", " - ACPI: HED: Always initialize before evged", " - vxlan: Join / leave MC group after remote changes", " - posix-timers: Invoke cond_resched() during exit_itimers()", " - hrtimers: Replace hrtimer_clock_to_base_table with switch-case", " - irqchip/riscv-imsic: Set irq_set_affinity() for IMSIC base", " - media: test-drivers: vivid: don't call schedule in loop", " - bpf: Make every prog keep a copy of ctx_arg_info", " - net/mlx5: Modify LSB bitmask in temperature event to include only the", " first bit", " - net/mlx5: Apply rate-limiting to high temperature warning", " - firmware: arm_ffa: Reject higher major version as incompatible", " - firmware: arm_ffa: Handle the presence of host partition in the", " partition info", " - firmware: xilinx: Dont send linux address to get fpga config get status", " - io_uring: use IO_REQ_LINK_FLAGS more", " - io_uring: sanitise ring params earlier", " - ASoC: ops: Enforce platform maximum on initial value", " - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG", " - ASoC: tas2764: Mark SW_RESET as volatile", " - ASoC: tas2764: Power up/down amp on mute ops", " - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()", " - pinctrl: devicetree: do not goto err when probing hogs in", " pinctrl_dt_to_map", " - smack: recognize ipv4 CIPSO w/o categories", " - drm/xe/pf: Release all VFs configs on device removal", " - smack: Revert \"smackfs: Added check catlen\"", " - kunit: tool: Use qboot on QEMU x86_64", " - media: i2c: imx219: Correct the minimum vblanking value", " - media: v4l: Memset argument to 0 before calling get_mbus_config pad op", " - media: stm32: csi: use ARRAY_SIZE to search D-PHY table", " - media: stm32: csi: add missing pm_runtime_put on error", " - media: i2c: ov2740: Free control handler on error path", " - bnxt_en: Set NPAR 1.2 support when registering with firmware", " - net/mlx4_core: Avoid impossible mlx4_db_alloc() order value", " - drm/xe: Stop ignoring errors from xe_ttm_stolen_mgr_init()", " - drm/xe: Fix xe_tile_init_noalloc() error propagation", " - clk: qcom: ipq5018: allow it to be bulid on arm32", " - [Config] enable IPQ_GCC_5018 on armhf", " - accel/amdxdna: Refactor hardware context destroy routine", " - clk: qcom: clk-alpha-pll: Do not use random stack value for recalc rate", " - drm/xe/debugfs: fixed the return value of wedged_mode_set", " - drm/xe/debugfs: Add missing xe_pm_runtime_put in wedge_mode_set", " - x86/ibt: Handle FineIBT in handle_cfi_failure()", " - x86/traps: Cleanup and robustify decode_bug()", " - x86/boot: Mark start_secondary() with __noendbr", " - sched: Reduce the default slice to avoid tasks getting an extra tick", " - serial: sh-sci: Update the suspend/resume support", " - pinctrl: renesas: rzg2l: Add suspend/resume support for pull up/down", " - drm/xe/display: Remove hpd cancel work sync from runtime pm path", " - phy: phy-rockchip-samsung-hdptx: Swap the definitions of LCPLL_REF and", " ROPLL_REF", " - phy: core: don't require set_mode() callback for phy_get_mode() to work", " - phy: exynos5-usbdrd: fix EDS distribution tuning (gs101)", " - soundwire: amd: change the soundwire wake enable/disable sequence", " - soundwire: cadence_master: set frame shape and divider based on actual", " clk freq", " - jbd2: Avoid long replay times due to high number or revoke blocks", " - net: stmmac: dwmac-loongson: Set correct {tx,rx}_fifo_size", " - scsi: usb: Rename the RESERVE and RELEASE constants", " - drm/amdgpu/mes11: fix set_hw_resources_1 calculation", " - drm/amdkfd: fix missing L2 cache info in topology", " - drm/amdgpu: Set snoop bit for SDMA for MI series", " - drm/amd/display: pass calculated dram_speed_mts to dml2", " - drm/amd/display: remove TF check for LLS policy", " - drm/amd/display: Don't try AUX transactions on disconnected link", " - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer", " - drm/amd/pm: Skip P2S load for SMU v13.0.12", " - drm/amd/display: Support multiple options during psr entry.", " - Revert \"drm/amd/display: Exit idle optimizations before attempt to", " access PHY\"", " - drm/amd/display: Fixes for mcache programming in DML21", " - drm/amd/display: Ammend DCPG IP control sequences to align with HW", " guidance", " - drm/amd/display: Account For OTO Prefetch Bandwidth When Calculating", " Urgent Bandwidth", " - drm/amd/display: Update CR AUX RD interval interpretation", " - drm/amd/display: Initial psr_version with correct setting", " - drm/amdgpu/gfx10: Add cleaner shader for GFX10.1.10", " - drm/amdgpu: Skip err_count sysfs creation on VF unsupported RAS blocks", " - amdgpu/soc15: enable asic reset for dGPU in case of suspend abort", " - drm/amd/display: Reverse the visual confirm recouts", " - drm/amd/display: Use Nominal vBlank If Provided Instead Of Capping It", " - drm/amd/display: Populate register address for dentist for dcn401", " - drm/amdgpu: Use active umc info from discovery", " - drm/amdgpu: enlarge the VBIOS binary size limit", " - drm/amdkfd: Have kfd driver use same PASID values from graphic driver", " - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer()", " - scsi: target: spc: Fix loop traversal in spc_rsoc_get_descr()", " - net/mlx5: XDP, Enable TX side XDP multi-buffer support", " - net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB", " - net/mlx5e: set the tx_queue_len for pfifo_fast", " - net/mlx5e: reduce rep rxq depth to 256 for ECPF", " - net/mlx5e: reduce the max log mpwrq sz for ECPF and reps", " - drm/v3d: Add clock handling", " - xfrm: prevent high SEQ input in non-ESN mode", " - iio: adc: ad7606: protect register access", " - wifi: ath12k: Enable MLO setup ready and teardown commands for single", " split-phy device", " - wifi: ath12k: use arvif instead of link_conf in ath12k_mac_set_key()", " - wifi: ath12k: fix the ampdu id fetch in the HAL_RX_MPDU_START TLV", " - wifi: ath12k: Update the peer id in PPDU end user stats TLV", " - mptcp: pm: userspace: flags: clearer msg if no remote addr", " - wifi: iwlwifi: use correct IMR dump variable", " - wifi: iwlwifi: don't warn during reprobe", " - wifi: mac80211: always send max agg subframe num in strict mode", " - wifi: mac80211: don't unconditionally call drv_mgd_complete_tx()", " - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call", " - wifi: mac80211: set ieee80211_prep_tx_info::link_id upon Auth Rx", " - wifi: mac80211: add HT and VHT basic set verification", " - wifi: mac80211: Drop cooked monitor support", " - net: fec: Refactor MAC reset to function", " - powerpc/pseries/iommu: memory notifier incorrectly adds TCEs for pmemory", " - powerpc/pseries/iommu: create DDW for devices with DMA mask less than", " 64-bits", " - arch/powerpc/perf: Check the instruction type before creating sample", " with perf_mem_data_src", " - ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure().", " - r8152: add vendor/device ID pair for Dell Alienware AW1022z", " - iio: adc: ad7944: don't use storagebits for sizing", " - igc: Avoid unnecessary link down event in XDP_SETUP_PROG process", " - pstore: Change kmsg_bytes storage size to u32", " - leds: trigger: netdev: Configure LED blink interval for HW offload", " - ext4: don't write back data before punch hole in nojournal mode", " - ext4: remove writable userspace mappings before truncating page cache", " - wifi: rtw88: Fix rtw_update_sta_info() for RTL8814AU", " - wifi: rtw88: Extend rtw_fw_send_ra_info() for RTL8814AU", " - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU", " - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU", " - wifi: rtw89: coex: Assign value over than 0 to avoid firmware timer hang", " - wifi: rtw89: fw: validate multi-firmware header before getting its size", " - wifi: rtw89: fw: validate multi-firmware header before accessing", " - wifi: rtw89: call power_on ahead before selecting firmware", " - iio: dac: ad3552r-hs: use instruction mode for configuration", " - iio: dac: adi-axi-dac: add bus mode setup", " - clk: qcom: camcc-sm8250: Use clk_rcg2_shared_ops for some RCGs", " - netdevsim: allow normal queue reset while down", " - net: page_pool: avoid false positive warning if NAPI was never added", " - tools/power turbostat: Clustered Uncore MHz counters should honor", " show/hide options", " - hwmon: (xgene-hwmon) use appropriate type for the latency value", " - drm/xe: Fix PVC RPe and RPa information", " - f2fs: introduce f2fs_base_attr for global sysfs entries", " - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is", " available", " - media: qcom: camss: Add default case in vfe_src_pad_code", " - drm/rockchip: vop2: Improve display modes handling on RK3588 HDMI0", " - eth: fbnic: set IFF_UNICAST_FLT to avoid enabling promiscuous mode when", " adding unicast addrs", " - tools: ynl-gen: don't output external constants", " - ipv4: ip_gre: Fix set but not used warning in ipgre_err() if IPv4-only", " - r8169: don't scan PHY addresses > 0", " - net: flush_backlog() small changes", " - bridge: mdb: Allow replace of a host-joined group", " - ice: init flow director before RDMA", " - ice: treat dyn_allowed only as suggestion", " - rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y", " - rcu: handle unstable rdp in rcu_read_unlock_strict()", " - rcu: fix header guard for rcu_all_qs()", " - perf: Avoid the read if the count is already updated", " - ice: count combined queues using Rx/Tx count", " - drm/xe/relay: Don't use GFP_KERNEL for new transactions", " - net/mana: fix warning in the writer of client oob", " - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine", " - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk", " - scsi: lpfc: Free phba irq in lpfc_sli4_enable_msi() when", " pci_irq_vector() fails", " - scsi: lpfc: Reduce log message generation during ELS ring clean up", " - scsi: st: Restore some drive settings after reset", " - wifi: ath12k: Avoid napi_sync() before napi_enable()", " - HID: usbkbd: Fix the bit shift number for LED_KANA", " - arm64: zynqmp: add clock-output-names property in clock nodes", " - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode", " - ASoC: rt722-sdca: Add some missing readable registers", " - irqchip/riscv-aplic: Add support for hart indexes", " - dm vdo indexer: prevent unterminated string warning", " - dm vdo: use a short static string for thread name prefix", " - drm/ast: Find VBIOS mode from regular display size", " - bpf: Use kallsyms to find the function name of a struct_ops's stub", " function", " - bpftool: Fix readlink usage in get_fd_type", " - firmware: arm_scmi: Relax duplicate name constraint across protocol ids", " - perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt", " - perf/amd/ibs: Fix ->config to sample period calculation for OP PMU", " - clk: renesas: rzg2l-cpg: Refactor Runtime PM clock validation", " - wifi: rtl8xxxu: retry firmware download on error", " - wifi: rtw88: Don't use static local variable in", " rtw8822b_set_tx_power_index_by_rate", " - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet", " - spi: zynqmp-gqspi: Always acknowledge interrupts", " - regulator: ad5398: Add device tree support", " - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override", " - accel/qaic: Mask out SR-IOV PCI resources", " - drm/xe/pf: Reset GuC VF config when unprovisioning critical resource", " - wifi: ath9k: return by of_get_mac_address", " - wifi: ath12k: Fetch regdb.bin file from board-2.bin", " - drm/xe/pf: Move VFs reprovisioning to worker", " - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor", " - wifi: ath12k: report station mode receive rate for IEEE 802.11be", " - wifi: ath12k: report station mode transmit rate", " - drm: bridge: adv7511: fill stream capabilities", " - drm/nouveau: fix the broken marco GSP_MSG_MAX_SIZE", " - wifi: ath11k: Use dma_alloc_noncoherent for rx_tid buffer allocation", " - drm/ast: Hide Gens 1 to 3 TX detection in branch", " - drm/xe: Move suballocator init to after display init", " - drm/xe: Do not attempt to bootstrap VF in execlists mode", " - wifi: rtw89: coex: Separated Wi-Fi connecting event from Wi-Fi scan", " event", " - wifi: rtw89: coex: Add protect to avoid A2DP lag while Wi-Fi connecting", " - drm/xe/sa: Always call drm_suballoc_manager_fini()", " - drm/xe: Always setup GT MMIO adjustment data", " - drm/xe/guc: Drop error messages about missing GuC logs", " - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset", " - drm/buddy: fix issue that force_merge cannot free all roots", " - drm/xe: Add locks in gtidle code", " - drm/panel-edp: Add Starry 116KHD024006", " - drm: Add valid clones check", " - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work()", " - ASoC: sma1307: Fix error handling in sma1307_setting_loaded()", " - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group()", " - watchdog: aspeed: fix 64-bit division", " - drm/amdkfd: Correct F8_MODE for gfx950", " - drm/gem: Internally test import_attach for imported objects", " - virtgpu: don't reset on shutdown", " - x86/mm/init: Handle the special case of device private pages in", " add_pages(), to not increase max_pfn and trigger", " dma_addressing_limited() bounce buffers", " - bpf: abort verification if env->cur_state->loop_entry != NULL", " - ipv6: remove leftover ip6 cookie initializer", " - serial: sh-sci: Save and restore more registers", " - drm/amd/display: Exit idle optimizations before accessing PHY", " - drm/amdkfd: Fix error handling for missing PASID in", " 'kfd_process_device_init_vm'", " - drm/amdkfd: Fix pasid value leak", " - wifi: mac80211: Add counter for all monitor interfaces", " - HID: Kconfig: Add LEDS_CLASS_MULTICOLOR dependency to HID_LOGITECH", " - net-sysfs: restore behavior for not running devices", " - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of()", " - book3s64/radix: Fix compile errors when", " CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=n", " - pinctrl: meson: define the pull up/down resistor value as 60 kOhm", " - smb: server: smb2pdu: check return value of xa_store()", " - platform/x86/intel: hid: Add Pantherlake support", " - platform/x86: asus-wmi: Disable OOBE state after resume from hibernation", " - platform/x86: ideapad-laptop: add support for some new buttons", " - ASoC: cs42l43: Disable headphone clamps during type detection", " - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013", " - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx", " - drm/ttm: fix the warning for hit_low and evict_low", " - nvme-pci: add quirks for device 126f:1001", " - nvme-pci: add quirks for WDC Blue SN550 15b7:5009", " - ALSA: usb-audio: Fix duplicated name in MIDI substream names", " - io_uring/fdinfo: annotate racy sq/cq head/tail reads", " - cifs: Fix and improve cifs_query_path_info() and cifs_query_file_info()", " - cifs: Fix changing times and read-only attr over SMB1", " smb_set_file_info() function", " - ASoC: intel/sdw_utils: Add volume limit to cs42l43 speakers", " - ASoC: intel/sdw_utils: Add volume limit to cs35l56 speakers", " - iio: accel: fxls8962af: Fix wakeup source leaks on device unbind", " - iio: adc: qcom-spmi-iadc: Fix wakeup source leaks on device unbind", " - iio: imu: st_lsm6dsx: Fix wakeup source leaks on device unbind", " - btrfs: compression: adjust cb->compressed_folios allocation type", " - btrfs: handle empty eb->folios in num_extent_folios()", " - tools: ynl-gen: validate 0 len strings from kernel", " - block: only update request sector if needed", " - wifi: iwlwifi: add support for Killer on MTL", " - xenbus: Allow PVH dom0 a non-local xenstore", " - drm/amd/display: Call FP Protect Before Mode Programming/Mode Support", " - soundwire: bus: Fix race on the creation of the IRQ domain", " - espintcp: remove encap socket caching to avoid reference leak", " - xfrm: Fix UDP GRO handling for some corner cases", " - dmaengine: idxd: Fix allowing write() from different address spaces", " - x86/sev: Fix operator precedence in GHCB_MSR_VMPL_REQ_LEVEL macro", " - kernel/fork: only call untrack_pfn_clear() on VMAs duplicated for fork()", " - remoteproc: qcom_wcnss: Fix on platforms without fallback regulators", " - clk: sunxi-ng: d1: Add missing divider for MMC mod clocks", " - xfrm: Sanitize marks before insert", " - dmaengine: idxd: Fix ->poll() return value", " - dmaengine: fsl-edma: Fix return code for unhandled interrupts", " - irqchip/riscv-imsic: Start local sync timer on correct CPU", " - Bluetooth: L2CAP: Fix not checking l2cap_chan security level", " - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump", " handling", " - bridge: netfilter: Fix forwarding of fragmented packets", " - ice: fix vf->num_mac count with port representors", " - ice: Fix LACP bonds without SRIOV environment", " - loop: don't require ->write_iter for writable files in loop_configure", " - pinctrl: qcom: switch to devm_register_sys_off_handler()", " - net: dwmac-sun8i: Use parsed internal PHY address instead of 1", " - net: lan743x: Restore SGMII CTRL register on resume", " - xsk: Bring back busy polling support in XDP_COPY", " - io_uring: fix overflow resched cqe reordering", " - idpf: fix idpf_vport_splitq_napi_poll()", " - octeontx2-pf: use xdp_return_frame() to free xdp buffers", " - octeontx2-pf: Add AF_XDP non-zero copy support", " - octeontx2-pf: AF_XDP zero copy receive support", " - octeontx2-pf: Avoid adding dcbnl_ops for LBK and SDP vf", " - octeontx2-af: Set LMT_ENA bit for APR table entries", " - octeontx2-af: Fix APR entry mapping based on APR_LMT_CFG", " - clk: s2mps11: initialise clk_hw_onecell_data::num before accessing", " ::hws[] in probe()", " - can: slcan: allow reception of short error messages", " - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext", " - ASoC: SOF: Intel: hda-bus: Use PIO mode on ACE2+ platforms", " - ASoc: SOF: topology: connect DAI to a single DAI link", " - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback", " direction", " - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10", " - llc: fix data loss when reading from a socket in llc_ui_recvmsg()", " - can: kvaser_pciefd: Continue parsing DMA buf after dropped RX", " - can: kvaser_pciefd: Fix echo_skb race", " - io_uring/net: only retry recv bundle for a full transfer", " - net: dsa: microchip: linearize skb for tail-tagging switches", " - vmxnet3: update MTU after device quiesce", " - mmc: sdhci_am654: Add SDHCI_QUIRK2_SUPPRESS_V1P8_ENA quirk to am62", " compatible", " - pmdomain: renesas: rcar: Remove obsolete nullify checks", " - pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()", " - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature", " - drm/edid: fixed the bug that hdr metadata was not reset", " - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs", " - smb: client: Reset all search buffer pointers when releasing buffer", " - Input: xpad - add more controllers", " - highmem: add folio_test_partial_kmap()", " - memcg: always call cond_resched() after fn()", " - mm/page_alloc.c: avoid infinite retries caused by cpuset race", " - module: release codetag section when module load fails", " - taskstats: fix struct taskstats breaks backward compatibility since", " version 15", " - mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled", " - mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y", " - mm: vmalloc: actually use the in-place vrealloc region", " - mm: vmalloc: only zero-init on vrealloc shrink", " - octeontx2: hide unused label", " - wifi: mac80211: restore monitor for outgoing frames", " - nilfs2: fix deadlock warnings caused by lock dependency in init_nilfs()", " - Bluetooth: btmtksdio: Check function enabled before doing close", " - Bluetooth: btmtksdio: Do close if SDIO card removed without close", " - Revert \"arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC connection\"", " - ksmbd: fix stream write failure", " - platform/x86: think-lmi: Fix attribute name usage for non-compliant", " items", " - spi: use container_of_cont() for to_spi_device()", " - spi: spi-fsl-dspi: restrict register range for regmap access", " - spi: spi-fsl-dspi: Halt the module after a new message transfer", " - spi: spi-fsl-dspi: Reset SR flags before sending a new message", " - drm/xe: Use xe_mmio_read32() to read mtcfg register", " - err.h: move IOMEM_ERR_PTR() to err.h", " - drm/i915/dp: Fix determining SST/MST mode during MTP TU state", " computation", " - drm/amdgpu/vcn4.0.5: split code along instances", " - gcc-15: make 'unterminated string initialization' just a warning", " - gcc-15: disable '-Wunterminated-string-initialization' entirely for now", " - Fix mis-uses of 'cc-option' for warning disablement", " - kbuild: Properly disable -Wunterminated-string-initialization for clang", " - Linux 6.14.9", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38050", " - mm/hugetlb: fix kernel NULL pointer dereference when replacing free", " hugetlb folios", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38029", " - kasan: avoid sleepable page allocation from atomic context", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38076", " - alloc_tag: allocate percpu counters for module tags dynamically", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) // Unable to", " put display on standby after resuming from hibernate (LP: #2121449)", " - Revert \"drm/amd: Keep display off while going into S4\"", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38051", " - smb: client: Fix use-after-free in cifs_fill_dirent", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38077", " - platform/x86: dell-wmi-sysman: Avoid buffer overflow in", " current_password_store()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38078", " - ALSA: pcm: Fix race of buffer access at PCM OSS layer", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38003", " - can: bcm: add missing rcu read protection for procfs content", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38004", " - can: bcm: add locking for bcm_op runtime updates", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38031", " - padata: do not leak refcount in reorder_work", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38079", " - crypto: algif_hash - fix double free in hash_accept", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38052", " - net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38053", " - idpf: fix null-ptr-deref in idpf_features_check", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38032", " - mr: consolidate the ipmr_can_free_table() checks.", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38054", " - ptp: ocp: Limit signal/freq counts in summary output functions", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38055", " - perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38057", " - espintcp: fix skb leaks", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38058", " - __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38033", " - x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38059", " - btrfs: avoid NULL pointer dereference if no valid csum tree", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38034", " - btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38035", " - nvmet-tcp: don't restore null sk_state_change", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38036", " - drm/xe/vf: Perform early GT MMIO initialization to read GMDID", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38037", " - vxlan: Annotate FDB data races", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38038", " - cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38039", " - net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload", " enabled", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38080", " - drm/amd/display: Increase block_sequence array size", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38060", " - bpf: copy_verifier_state() should copy 'loop_entry' field", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38040", " - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38061", " - net: pktgen: fix access outside of user given buffer in", " pktgen_thread_write()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38062", " - genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of", " iommu_cookie", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38041", " - clk: sunxi-ng: h616: Reparent GPU clock during frequency changes", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38063", " - dm: fix unconditional IO throttle caused by REQ_PREFLUSH", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38064", " - virtio: break and reset virtio devices on device_shutdown()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38042", " - dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from", " k3_udma_glue_reset_rx_chn", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38043", " - firmware: arm_ffa: Set dma_mask for ffa devices", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38044", " - media: cx231xx: set device_caps for 417", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38065", " - orangefs: Do not truncate file size", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38066", " - dm cache: prevent BUG_ON by blocking retries on failed device resumes", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38067", " - rseq: Fix segfault on registration when rseq_cs is non-zero", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38068", " - crypto: lzo - Fix compression buffer overrun", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38069", " - PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38045", " - wifi: iwlwifi: fix debug actions order", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38070", " - ASoC: sma1307: Add NULL check in sma1307_setting_loaded()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38071", " - x86/mm: Check return value from memblock_phys_alloc_range()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38072", " - libnvdimm/labels: Fix divide error in nd_label_data_init()", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38081", " - spi-rockchip: Fix register out of bounds access", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38047", " - x86/fred: Fix system hang during S4 resume with FRED enabled", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38073", " - block: fix race between set_blocksize and read paths", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38074", " - vhost-scsi: protect vq->log_used with vq->mutex", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38048", " - virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN", "", " * Plucky update: v6.14.9 upstream stable release (LP: #2115678) //", " CVE-2025-38075", " - scsi: target: iscsi: Fix timeout on deleted connection", "", " * CVE-2025-38350", " - net/sched: Always pass notifications when child class becomes empty", "" ], "package": "linux", "version": "6.14.0-32.32", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2121653, 1786013, 2120454, 2111521, 2120233, 2116247, 2115478, 2118499, 2116175, 2119526, 2115393, 2115738, 2118965, 2112330, 2111231, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119603, 2119039, 2119039, 2119039, 2119039, 2119039, 2119010, 2119010, 2119010, 2119010, 2115678, 2115678, 2115678, 2115678, 2115678, 2121449, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678, 2115678 ], "author": "Stefan Bader ", "date": "Fri, 29 Aug 2025 10:41:07 +0200" }, { "cves": [ { "cve": "CVE-2025-38056", "url": "https://ubuntu.com/security/CVE-2025-38056", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix UAF when reloading module hda_generic_machine_select() appends -idisp to the tplg filename by allocating a new string with devm_kasprintf(), then stores the string right back into the global variable snd_soc_acpi_intel_hda_machines. When the module is unloaded, this memory is freed, resulting in a global variable pointing to freed memory. Reloading the module then triggers a use-after-free: BUG: KFENCE: use-after-free read in string+0x48/0xe0 Use-after-free read at 0x00000000967e0109 (in kfence-#99): string+0x48/0xe0 vsnprintf+0x329/0x6e0 devm_kvasprintf+0x54/0xb0 devm_kasprintf+0x58/0x80 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic] sof_probe_work+0x7f/0x600 [snd_sof] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 kfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64 allocated by task 333 on cpu 8 at 17.798069s (130.453553s ago): devm_kmalloc+0x52/0x120 devm_kvasprintf+0x66/0xb0 devm_kasprintf+0x58/0x80 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic] sof_probe_work+0x7f/0x600 [snd_sof] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 freed by task 1543 on cpu 4 at 141.586686s (6.665010s ago): release_nodes+0x43/0xb0 devres_release_all+0x90/0xf0 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1c1/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x42/0xb0 __do_sys_delete_module+0x1d1/0x310 do_syscall_64+0x82/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it by copying the match array with devm_kmemdup_array() before we modify it.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38008", "url": "https://ubuntu.com/security/CVE-2025-38008", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: fix race condition in unaccepted memory handling The page allocator tracks the number of zones that have unaccepted memory using static_branch_enc/dec() and uses that static branch in hot paths to determine if it needs to deal with unaccepted memory. Borislav and Thomas pointed out that the tracking is racy: operations on static_branch are not serialized against adding/removing unaccepted pages to/from the zone. Sanity checks inside static_branch machinery detects it: WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0 The comment around the WARN() explains the problem: \t/* \t * Warn about the '-1' case though; since that means a \t * decrement is concurrent with a first (0->1) increment. IOW \t * people are trying to disable something that wasn't yet fully \t * enabled. This suggests an ordering problem on the user side. \t */ The effect of this static_branch optimization is only visible on microbenchmark. Instead of adding more complexity around it, remove it altogether.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38014", "url": "https://ubuntu.com/security/CVE-2025-38014", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38015", "url": "https://ubuntu.com/security/CVE-2025-38015", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38005", "url": "https://ubuntu.com/security/CVE-2025-38005", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38009", "url": "https://ubuntu.com/security/CVE-2025-38009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b (\"net: warn if NAPI instance wasn't shut down\"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38010", "url": "https://ubuntu.com/security/CVE-2025-38010", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 (\"xhci: tegra: USB2 pad power controls\"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38011", "url": "https://ubuntu.com/security/CVE-2025-38011", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38016", "url": "https://ubuntu.com/security/CVE-2025-38016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: bpf: abort dispatch if device destroyed The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages. The bug will be triggered if the conditions below are met: A) a device under the driver has some LEDs on B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver) If condition A is met, hidinput_led_worker() is always scheduled *after* hid_bpf_destroy_device(). hid_destroy_device ` hid_bpf_destroy_device ` cleanup_srcu_struct(&hdev->bpf.srcu) ` hid_remove_device ` ... ` led_classdev_unregister ` led_trigger_set(led_cdev, NULL) ` led_set_brightness(led_cdev, LED_OFF) ` ... ` input_inject_event ` input_event_dispose ` hidinput_input_event ` schedule_work(&hid->led_work) [hidinput_led_worker] This is fine when condition B is not met, where hidinput_led_worker() calls hid_ll_driver->request(). This is the case for most HID drivers, which implement it or use the generic one from usbhid. The driver itself or an underlying driver will then abort processing the request. Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads to the bug. hidinput_led_worker ` hid_hw_output_report ` dispatch_hid_bpf_output_report ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) The bug has existed since the introduction [2] of dispatch_hid_bpf_output_report(). However, the same bug also exists in dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect because of the lack of [1], but confirmed bpf.destroyed == 1) the bug against the commit (i.e., the Fixes:) introducing the function. This is because hidinput_led_worker() falls back to hid_hw_raw_request() when hid_ll_driver->output_report() is uninplemented (e.g., logitech- djreceiver). hidinput_led_worker ` hid_hw_output_report: -ENOSYS ` hid_hw_raw_request ` dispatch_hid_bpf_raw_requests ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) Fix the issue by returning early in the two mentioned functions if hid_bpf has been marked as destroyed. Though dispatch_hid_bpf_device_event() handles input events, and there is no evidence that it may be called after the destruction, the same check, as a safety net, is also added to it to maintain the consistency among all dispatch functions. The impact of the bug on other architectures is unclear. Even if it acts as a hidden failure, this is still dangerous because it corrupts whatever is on the address calculated by SRCU. Thus, CC'ing the stable list. [1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Use relative percpu offsets\") [2]: commit 9286675a2aed (\"HID: bpf: add HID-BPF hooks for hid_hw_output_report\")", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38012", "url": "https://ubuntu.com/security/CVE-2025-38012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator BPF programs may call next() and destroy() on BPF iterators even after new() returns an error value (e.g. bpf_for_each() macro ignores error returns from new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized state after an error return causing bpf_iter_scx_dsq_next() to dereference garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that next() and destroy() become noops.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38018", "url": "https://ubuntu.com/security/CVE-2025-38018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38019", "url": "https://ubuntu.com/security/CVE-2025-38019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices The driver only offloads neighbors that are constructed on top of net devices registered by it or their uppers (which are all Ethernet). The device supports GRE encapsulation and decapsulation of forwarded traffic, but the driver will not offload dummy neighbors constructed on top of GRE net devices as they are not uppers of its net devices: # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 NOARP (Note that the neighbor is not marked with 'offload') When the driver is reloaded and the existing configuration is replayed, the driver does not perform the same check regarding existing neighbors and offloads the previously added one: # devlink dev reload pci/0000:01:00.0 $ ip neigh show dev gre1 nud noarp 0.0.0.0 lladdr 0.0.0.0 offload NOARP If the neighbor is later deleted, the driver will ignore the notification (given the GRE net device is not its upper) and will therefore keep referencing freed memory, resulting in a use-after-free [1] when the net device is deleted: # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 # ip link del dev gre1 Fix by skipping neighbor replay if the net device for which the replay is performed is not our upper. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200 Read of size 8 at addr ffff888155b0e420 by task ip/2282 [...] Call Trace: dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6f/0x350 print_report+0x108/0x205 kasan_report+0xdf/0x110 mlxsw_sp_neigh_entry_update+0x1ea/0x200 mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 mlxsw_sp_rif_destroy+0x1e9/0x750 mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 notifier_call_chain+0xca/0x150 call_netdevice_notifiers_info+0x7f/0x100 unregister_netdevice_many_notify+0xc8c/0x1d90 rtnl_dellink+0x34e/0xa50 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38013", "url": "https://ubuntu.com/security/CVE-2025-38013", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the \"sizeof(void *)\" not matching the \"channels\" array type.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38002", "url": "https://ubuntu.com/security/CVE-2025-38002", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo() Not everything requires locking in there, which is why the 'has_lock' variable exists. But enough does that it's a bit unwieldy to manage. Wrap the whole thing in a ->uring_lock trylock, and just return with no output if we fail to grab it. The existing trylock() will already have greatly diminished utility/output for the failure case. This fixes an issue with reading the SQE fields, if the ring is being actively resized at the same time.", "cve_priority": "medium", "cve_public_date": "2025-06-06 14:15:00 UTC" }, { "cve": "CVE-2025-38027", "url": "https://ubuntu.com/security/CVE-2025-38027", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\\xc0$\\xa5\\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38020", "url": "https://ubuntu.com/security/CVE-2025-38020", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38021", "url": "https://ubuntu.com/security/CVE-2025-38021", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check of pipe_ctx->plane_state for update_dchubp_dpp Similar to commit 6a057072ddd1 (\"drm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe\") that addresses a null pointer dereference on dcn20_update_dchubp_dpp. This is the same function hooked for update_dchubp_dpp in dcn401, with the same issue. Fix possible null pointer deference on dcn401_program_pipe too. (cherry picked from commit d8d47f739752227957d8efc0cb894761bfe1d879)", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38006", "url": "https://ubuntu.com/security/CVE-2025-38006", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox \"ip addr show\". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-37992", "url": "https://ubuntu.com/security/CVE-2025-37992", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines.", "cve_priority": "medium", "cve_public_date": "2025-05-26 15:15:00 UTC" }, { "cve": "CVE-2025-38022", "url": "https://ubuntu.com/security/CVE-2025-38022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent().", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38028", "url": "https://ubuntu.com/security/CVE-2025-38028", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS/localio: Fix a race in nfs_local_open_fh() Once the clp->cl_uuid.lock has been dropped, another CPU could come in and free the struct nfsd_file that was just added. To prevent that from happening, take the RCU read lock before dropping the spin lock.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38023", "url": "https://ubuntu.com/security/CVE-2025-38023", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38007", "url": "https://ubuntu.com/security/CVE-2025-38007", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38024", "url": "https://ubuntu.com/security/CVE-2025-38024", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38025", "url": "https://ubuntu.com/security/CVE-2025-38025", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7606: check for NULL before calling sw_mode_config() Check that the sw_mode_config function pointer is not NULL before calling it. Not all buses define this callback, which resulted in a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-37963", "url": "https://ubuntu.com/security/CVE-2025-37963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Support for eBPF programs loaded by unprivileged users is typically disabled. This means only cBPF programs need to be mitigated for BHB. In addition, only mitigate cBPF programs that were loaded by an unprivileged user. Privileged users can also load the same program via eBPF, making the mitigation pointless.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37948", "url": "https://ubuntu.com/security/CVE-2025-37948", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs A malicious BPF program may manipulate the branch history to influence what the hardware speculates will happen next. On exit from a BPF program, emit the BHB mititgation sequence. This is only applied for 'classic' cBPF programs that are loaded by seccomp.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37994", "url": "https://ubuntu.com/security/CVE-2025-37994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37967", "url": "https://ubuntu.com/security/CVE-2025-37967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix deadlock This patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock functions to the UCSI driver. ucsi_con_mutex_lock ensures the connector mutex is only locked if a connection is established and the partner pointer is valid. This resolves a deadlock scenario where ucsi_displayport_remove_partner holds con->mutex waiting for dp_altmode_work to complete while dp_altmode_work attempts to acquire it.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37950", "url": "https://ubuntu.com/security/CVE-2025-37950", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix panic in failed foilio allocation commit 7e119cff9d0a (\"ocfs2: convert w_pages to w_folios\") and commit 9a5e08652dc4b (\"ocfs2: use an array of folios instead of an array of pages\") save -ENOMEM in the folio array upon allocation failure and call the folio array free code. The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37995", "url": "https://ubuntu.com/security/CVE-2025-37995", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37960", "url": "https://ubuntu.com/security/CVE-2025-37960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: memblock: Accept allocated memory before use in memblock_double_array() When increasing the array size in memblock_double_array() and the slab is not yet available, a call to memblock_find_in_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which can result in a crash when booting an SNP guest: RIP: 0010:memcpy_orig+0x68/0x130 Code: ... RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006 RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000 RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00 RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000 R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78 R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00 memblock_double_array+0xff/0x310 memblock_add_range+0x1fb/0x2f0 memblock_reserve+0x4f/0xa0 memblock_alloc_range_nid+0xac/0x130 memblock_alloc_internal+0x53/0xc0 memblock_alloc_try_nid+0x3d/0xa0 swiotlb_init_remap+0x149/0x2f0 mem_init+0xb/0xb0 mm_core_init+0x8f/0x350 start_kernel+0x17e/0x5d0 x86_64_start_reservations+0x14/0x30 x86_64_start_kernel+0x92/0xa0 secondary_startup_64_no_verify+0x194/0x19b Mitigate this by calling accept_memory() on the memory range returned before the slab is available. Prior to v6.12, the accept_memory() interface used a 'start' and 'end' parameter instead of 'start' and 'size', therefore the accept_memory() call must be adjusted to specify 'start + size' for 'end' when applying to kernels prior to v6.12.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37996", "url": "https://ubuntu.com/security/CVE-2025-37996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Commit fce886a60207 (\"KVM: arm64: Plumb the pKVM MMU in KVM\") made the initialization of the local memcache variable in user_mem_abort() conditional, leaving a codepath where it is used uninitialized via kvm_pgtable_stage2_map(). This can fail on any path that requires a stage-2 allocation without transition via a permission fault or dirty logging. Fix this by making sure that memcache is always valid.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37949", "url": "https://ubuntu.com/security/CVE-2025-37949", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xenbus: Use kref to track req lifetime Marek reported seeing a NULL pointer fault in the xenbus_thread callstack: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: e030:__wake_up_common+0x4c/0x180 Call Trace: __wake_up_common_lock+0x82/0xd0 process_msg+0x18e/0x2f0 xenbus_thread+0x165/0x1c0 process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems like it was xs_wake_up() in this case. It seems like req may have woken up the xs_wait_for_reply(), which kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed data. Linux Device Drivers 2nd edition states: \"Normally, a wake_up call can cause an immediate reschedule to happen, meaning that other processes might run before wake_up returns.\" ... which would match the behaviour observed. Change to keeping two krefs on each request. One for the caller, and one for xenbus_thread. Each will kref_put() when finished, and the last will free it. This use of kref matches the description in Documentation/core-api/kref.rst", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37954", "url": "https://ubuntu.com/security/CVE-2025-37954", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Avoid race in open_cached_dir with lease breaks A pre-existing valid cfid returned from find_or_create_cached_dir might race with a lease break, meaning open_cached_dir doesn't consider it valid, and thinks it's newly-constructed. This leaks a dentry reference if the allocation occurs before the queued lease break work runs. Avoid the race by extending holding the cfid_list_lock across find_or_create_cached_dir and when the result is checked.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37965", "url": "https://ubuntu.com/security/CVE-2025-37965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix invalid context error in dml helper [Why] \"BUG: sleeping function called from invalid context\" error. after: \"drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()\" The populate_dml_plane_cfg_from_plane_state() uses the GFP_KERNEL flag for memory allocation, which shouldn't be used in atomic contexts. The allocation is needed only for using another helper function get_scaler_data_for_plane(). [How] Modify helpers to pass a pointer to scaler_data within existing context, eliminating the need for dynamic memory allocation/deallocation and copying. (cherry picked from commit bd3e84bc98f81b44f2c43936bdadc3241d654259)", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37951", "url": "https://ubuntu.com/security/CVE-2025-37951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Add job to pending list if the reset was skipped When a CL/CSD job times out, we check if the GPU has made any progress since the last timeout. If so, instead of resetting the hardware, we skip the reset and let the timer get rearmed. This gives long-running jobs a chance to complete. However, when `timedout_job()` is called, the job in question is removed from the pending list, which means it won't be automatically freed through `free_job()`. Consequently, when we skip the reset and keep the job running, the job won't be freed when it finally completes. This situation leads to a memory leak, as exposed in [1] and [2]. Similarly to commit 704d3d60fec4 (\"drm/etnaviv: don't block scheduler when GPU is still active\"), this patch ensures the job is put back on the pending list when extending the timeout.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37968", "url": "https://ubuntu.com/security/CVE-2025-37968", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37969", "url": "https://ubuntu.com/security/CVE-2025-37969", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Prevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37970", "url": "https://ubuntu.com/security/CVE-2025-37970", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Prevent st_lsm6dsx_read_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37966", "url": "https://ubuntu.com/security/CVE-2025-37966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL When userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not available, the kernel crashes: Oops - illegal instruction [#1] [snip] epc : set_tagged_addr_ctrl+0x112/0x15a ra : set_tagged_addr_ctrl+0x74/0x15a epc : ffffffff80011ace ra : ffffffff80011a30 sp : ffffffc60039be10 [snip] status: 0000000200000120 badaddr: 0000000010a79073 cause: 0000000000000002 set_tagged_addr_ctrl+0x112/0x15a __riscv_sys_prctl+0x352/0x73c do_trap_ecall_u+0x17c/0x20c andle_exception+0x150/0x15c Fix it by checking if Supm is available.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37957", "url": "https://ubuntu.com/security/CVE-2025-37957", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Previously, commit ed129ec9057f (\"KVM: x86: forcibly leave nested mode on vCPU reset\") addressed an issue where a triple fault occurring in nested mode could lead to use-after-free scenarios. However, the commit did not handle the analogous situation for System Management Mode (SMM). This omission results in triggering a WARN when KVM forces a vCPU INIT after SHUTDOWN interception while the vCPU is in SMM. This situation was reprodused using Syzkaller by: 1) Creating a KVM VM and vCPU 2) Sending a KVM_SMI ioctl to explicitly enter SMM 3) Executing invalid instructions causing consecutive exceptions and eventually a triple fault The issue manifests as follows: WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112 kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Modules linked in: CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted 6.1.130-syzkaller-00157-g164fe5dde9b6 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Call Trace: shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136 svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395 svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457 vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline] vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062 kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283 kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Architecturally, INIT is blocked when the CPU is in SMM, hence KVM's WARN() in kvm_vcpu_reset() to guard against KVM bugs, e.g. to detect improper emulation of INIT. SHUTDOWN on SVM is a weird edge case where KVM needs to do _something_ sane with the VMCB, since it's technically undefined, and INIT is the least awful choice given KVM's ABI. So, double down on stuffing INIT on SHUTDOWN, and force the vCPU out of SMM to avoid any weirdness (and the WARN). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [sean: massage changelog, make it clear this isn't architectural behavior]", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37958", "url": "https://ubuntu.com/security/CVE-2025-37958", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: \"An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of replacing the wrong folio\" comment a few lines above it) is for.\" BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37964", "url": "https://ubuntu.com/security/CVE-2025-37964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Eliminate window where TLB flushes may be inadvertently skipped tl;dr: There is a window in the mm switching code where the new CR3 is set and the CPU should be getting TLB flushes for the new mm. But should_flush_tlb() has a bug and suppresses the flush. Fix it by widening the window where should_flush_tlb() sends an IPI. Long Version: === History === There were a few things leading up to this. First, updating mm_cpumask() was observed to be too expensive, so it was made lazier. But being lazy caused too many unnecessary IPIs to CPUs due to the now-lazy mm_cpumask(). So code was added to cull mm_cpumask() periodically[2]. But that culling was a bit too aggressive and skipped sending TLB flushes to CPUs that need them. So here we are again. === Problem === The too-aggressive code in should_flush_tlb() strikes in this window: \t// Turn on IPIs for this CPU/mm combination, but only \t// if should_flush_tlb() agrees: \tcpumask_set_cpu(cpu, mm_cpumask(next)); \tnext_tlb_gen = atomic64_read(&next->context.tlb_gen); \tchoose_new_asid(next, next_tlb_gen, &new_asid, &need_flush); \tload_new_mm_cr3(need_flush); \t// ^ After 'need_flush' is set to false, IPIs *MUST* \t// be sent to this CPU and not be ignored. this_cpu_write(cpu_tlbstate.loaded_mm, next); \t// ^ Not until this point does should_flush_tlb() \t// become true! should_flush_tlb() will suppress TLB flushes between load_new_mm_cr3() and writing to 'loaded_mm', which is a window where they should not be suppressed. Whoops. === Solution === Thankfully, the fuzzy \"just about to write CR3\" window is already marked with loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in should_flush_tlb() is sufficient to ensure that the CPU is targeted with an IPI. This will cause more TLB flush IPIs. But the window is relatively small and I do not expect this to cause any kind of measurable performance impact. Update the comment where LOADED_MM_SWITCHING is written since it grew yet another user. Peter Z also raised a concern that should_flush_tlb() might not observe 'loaded_mm' and 'is_lazy' in the same order that switch_mm_irqs_off() writes them. Add a barrier to ensure that they are observed in the order they are written.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37971", "url": "https://ubuntu.com/security/CVE-2025-37971", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: bcm2835-camera: Initialise dev in v4l2_dev Commit 42a2f6664e18 (\"staging: vc04_services: Move global g_state to vchiq_state\") changed mmal_init to pass dev->v4l2_dev.dev to vchiq_mmal_init, however nothing iniitialised dev->v4l2_dev, so we got a NULL pointer dereference. Set dev->v4l2_dev.dev during bcm2835_mmal_probe. The device pointer could be passed into v4l2_device_register to set it, however that also has other effects that would need additional changes.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37972", "url": "https://ubuntu.com/security/CVE-2025-37972", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: mtk-pmic-keys - fix possible null pointer dereference In mtk_pmic_keys_probe, the regs parameter is only set if the button is parsed in the device tree. However, on hardware where the button is left floating, that node will most likely be removed not to enable that input. In that case the code will try to dereference a null pointer. Let's use the regs struct instead as it is defined for all supported platforms. Note that it is ok setting the key reg even if that latter is disabled as the interrupt won't be enabled anyway.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37959", "url": "https://ubuntu.com/security/CVE-2025-37959", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be \"misused\" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows (1) the packet path from the host's XFRM layer to the container's XFRM layer where it's dropped and (2) the number of active skb extensions at each function. NETNS MARK IFACE TUPLE FUNC 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive .active_extensions = (__u8)2, [...] 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core .active_extensions = (__u8)2, [...] 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY) .active_extensions = (__u8)2, In this case, there are no XFRM policies in the container's network namespace so the drop is unexpected. When we decrypt the IPsec packet, the XFRM state used for decryption is set in the skb extensions. This information is preserved across the netns switch. When we reach the XFRM policy check in the container's netns, __xfrm_policy_check drops the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM policy can't be found that matches the (host-side) XFRM state used for decryption. This patch fixes this by scrubbing the packet when using bpf_redirect_peer, as is done on typical netns switches via veth devices except skb->mark and skb->tstamp are not zeroed.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37961", "url": "https://ubuntu.com/security/CVE-2025-37961", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 (\"ipvs: do not use random local source address for tunnels\") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4167 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline] __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef) Hardware name: Google Google Compute Engi ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37993", "url": "https://ubuntu.com/security/CVE-2025-37993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe The spin lock tx_handling_spinlock in struct m_can_classdev is not being initialized. This leads the following spinlock bad magic complaint from the kernel, eg. when trying to send CAN frames with cansend from can-utils: | BUG: spinlock bad magic on CPU#0, cansend/95 | lock: 0xff60000002ec1010, .magic: 00000000, .owner: /-1, .owner_cpu: 0 | CPU: 0 UID: 0 PID: 95 Comm: cansend Not tainted 6.15.0-rc3-00032-ga79be02bba5c #5 NONE | Hardware name: MachineWare SIM-V (DT) | Call Trace: | [] dump_backtrace+0x1c/0x24 | [] show_stack+0x28/0x34 | [] dump_stack_lvl+0x4a/0x68 | [] dump_stack+0x14/0x1c | [] spin_dump+0x62/0x6e | [] do_raw_spin_lock+0xd0/0x142 | [] _raw_spin_lock_irqsave+0x20/0x2c | [] m_can_start_xmit+0x90/0x34a | [] dev_hard_start_xmit+0xa6/0xee | [] sch_direct_xmit+0x114/0x292 | [] __dev_queue_xmit+0x3b0/0xaa8 | [] can_send+0xc6/0x242 | [] raw_sendmsg+0x1a8/0x36c | [] sock_write_iter+0x9a/0xee | [] vfs_write+0x184/0x3a6 | [] ksys_write+0xa0/0xc0 | [] __riscv_sys_write+0x14/0x1c | [] do_trap_ecall_u+0x168/0x212 | [] handle_exception+0x146/0x152 Initializing the spin lock in m_can_class_allocate_dev solves that problem.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37955", "url": "https://ubuntu.com/security/CVE-2025-37955", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() The selftests added to our CI by Bui Quang Minh recently reveals that there is a mem leak on the error path of virtnet_xsk_pool_enable(): unreferenced object 0xffff88800a68a000 (size 2048): comm \"xdp_helper\", pid 318, jiffies 4294692778 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): __kvmalloc_node_noprof+0x402/0x570 virtnet_xsk_pool_enable+0x293/0x6a0 (drivers/net/virtio_net.c:5882) xp_assign_dev+0x369/0x670 (net/xdp/xsk_buff_pool.c:226) xsk_bind+0x6a5/0x1ae0 __sys_bind+0x15e/0x230 __x64_sys_bind+0x72/0xb0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37962", "url": "https://ubuntu.com/security/CVE-2025-37962", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leak in parse_lease_state() The previous patch that added bounds check for create lease context introduced a memory leak. When the bounds check fails, the function returns NULL without freeing the previously allocated lease_ctx_info structure. This patch fixes the issue by adding kfree(lreq) before returning NULL in both boundary check cases.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37998", "url": "https://ubuntu.com/security/CVE-2025-37998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-37952", "url": "https://ubuntu.com/security/CVE-2025-37952", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix UAF in __close_file_table_ids A use-after-free is possible if one thread destroys the file via __ksmbd_close_fd while another thread holds a reference to it. The existing checks on fp->refcount are not sufficient to prevent this. The fix takes ft->lock around the section which removes the file from the file table. This prevents two threads acquiring the same file pointer via __close_file_table_ids, as well as the other functions which retrieve a file from the IDR and which already use this same lock.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37947", "url": "https://ubuntu.com/security/CVE-2025-37947", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37956", "url": "https://ubuntu.com/security/CVE-2025-37956", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent rename with empty string Client can send empty newname string to ksmbd server. It will cause a kernel oops from d_alloc. This patch return the error when attempting to rename a file or directory with an empty new name string.", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37973", "url": "https://ubuntu.com/security/CVE-2025-37973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2025-37999", "url": "https://ubuntu.com/security/CVE-2025-37999", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() If bio_add_folio() fails (because it is full), erofs_fileio_scan_folio() needs to submit the I/O request via erofs_fileio_rq_submit() and allocate a new I/O request with an empty `struct bio`. Then it retries the bio_add_folio() call. However, at this point, erofs_onlinefolio_split() has already been called which increments `folio->private`; the retry will call erofs_onlinefolio_split() again, but there will never be a matching erofs_onlinefolio_end() call. This leaves the folio locked forever and all waiters will be stuck in folio_wait_bit_common(). This bug has been added by commit ce63cb62d794 (\"erofs: support unencoded inodes for fileio\"), but was practically unreachable because there was room for 256 folios in the `struct bio` - until commit 9f74ae8c9ac9 (\"erofs: shorten bvecs[] for file-backed mounts\") which reduced the array capacity to 16 folios. It was now trivial to trigger the bug by manually invoking readahead from userspace, e.g.: posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED); This should be fixed by invoking erofs_onlinefolio_split() only after bio_add_folio() has succeeded. This is safe: asynchronous completions invoking erofs_onlinefolio_end() will not unlock the folio because erofs_fileio_scan_folio() is still holding a reference to be released by erofs_onlinefolio_end() at the end.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-38083", "url": "https://ubuntu.com/security/CVE-2025-38083", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.", "cve_priority": "medium", "cve_public_date": "2025-06-20 12:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-28.28 -proposed tracker (LP: #2117649)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.07.14)", "", " * Dell AIO backlight is not working, dell_uart_backlight module is missing", " (LP: #2083800)", " - [Config] enable CONFIG_DELL_UART_BACKLIGHT", "", " * integrated I219-LM network adapter appears to be running too fast, causing", " synchronization issues when using the I219-LM PTP feature (LP: #2116072)", " - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13", "", " * Audio broken on ThinkPad X13s (LP: #2115898)", " - SAUCE: Revert \"UBUNTU: SAUCE: Change: cracking sound fix\"", "", " * Ubuntu 24.04+ arm64: screen resolution fixed to 1024x768 with last kernel", " update (LP: #2115068)", " - [Config] Replace FB_HYPERV with DRM_HYPERV", "", " * [SRU][HPE 24.04] Patch Request for HPE iLO7 VGA device for Gen12 Servers", " (LP: #2114516)", " - drm/mgag200: Added support for the new device G200eH5", "", " * A process exiting with an open /dev/snapshot fd causes a NULL pointer", " dereference caught by ubuntu_stress_smoke_test:sut-scan (LP: #2113990)", " - libfs: export find_next_child()", " - efivarfs: support freeze/thaw", "", " * [SRU] Add support for new hotkey of F9 on Thinkpad X9 (LP: #2115022)", " - platform/x86: thinkpad-acpi: Add support for new hotkey for camera", " shutter switch", "", " * [SRU] Fix GT0: Engine reset when suspend on Intel LNL (LP: #2114697)", " - drm/xe/sched: stop re-submitting signalled jobs", "", " * CVE-2025-38056", " - devres: Introduce devm_kmemdup_array()", " - ASoC: SOF: Intel: hda: Fix UAF when reloading module", "", " * Handle IOMMU IVRS entries with mismatched UID on AMD Strix or newer", " platforms (LP: #2115174)", " - iommu/amd: Allow matching ACPI HID devices without matching UIDs", "", " * [UBUNTU 22.04] kernel: Fix z17 elf platform recognition (LP: #2114450)", " - s390: Add z17 elf platform", "", " * [UBUNTU 24.04] Kernel: Add CPUMF extended counter set for z17", " (LP: #2114258)", " - s390/cpumf: Update CPU Measurement facility extended counter set support", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266)", " - arm64: dts: rockchip: Assign RT5616 MCLK rate on rk3588-friendlyelec-", " cm3588", " - fs/xattr.c: fix simple_xattr_list to always include security.* xattrs", " - drivers/platform/x86/amd: pmf: Check for invalid sideloaded Smart PC", " Policies", " - drivers/platform/x86/amd: pmf: Check for invalid Smart PC Policies", " - x86/amd_node, platform/x86/amd/hsmp: Have HSMP use SMN through AMD_NODE", " - platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive", " drivers", " - arm64: dts: rockchip: fix Sige5 RTC interrupt pin", " - riscv: dts: sophgo: fix DMA data-width configuration for CV18xx", " - binfmt_elf: Move brk for static PIE even if ASLR disabled", " - platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie", " 14XA (GX4HRXL)", " - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection", " - arm64: dts: imx8mp-var-som: Fix LDO5 shutdown causing SD card timeout", " - cgroup/cpuset: Extend kthread_is_per_cpu() check to all", " PF_NO_SETAFFINITY tasks", " - tracing: fprobe: Fix RCU warning message in list traversal", " - tracing: probes: Fix a possible race in trace_probe_log APIs", " - tpm: tis: Double the timeout B to 4s", " - iio: adc: ad7606: move the software mode configuration", " - iio: adc: ad7606: move software functions into common file", " - HID: thrustmaster: fix memory leak in thrustmaster_interrupts()", " - spi: loopback-test: Do not split 1024-byte hexdumps", " - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags", " - drm/meson: Use 1000ULL when operating with mode->clock", " - tools/net/ynl: ethtool: fix crash when Hardware Clock info is missing", " - tests/ncdevmem: Fix double-free of queue array", " - net: mctp: Ensure keys maintain only one ref to corresponding dev", " - ALSA: seq: Fix delivery of UMP events to group ports", " - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info", " - net: cadence: macb: Fix a possible deadlock in macb_halt_tx.", " - net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING", " - nvme-pci: make nvme_pci_npages_prp() __always_inline", " - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable", " - ALSA: sh: SND_AICA should depend on SH_DMA_API", " - net: dsa: b53: prevent standalone from trying to forward to other ports", " - vsock/test: Fix occasional failure in SIOCOUTQ tests", " - qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd()", " - octeontx2-pf: Fix ethtool support for SDP representors", " - drm/xe: Save CTX_TIMESTAMP mmio value instead of LRC value", " - netlink: specs: tc: fix a couple of attribute names", " - netlink: specs: tc: all actions are indexed arrays", " - octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy", " - net: ethernet: mtk_eth_soc: fix typo for declaration MT7988 ESW", " capability", " - octeontx2-af: Fix CGX Receive counters", " - octeontx2-pf: Do not reallocate all ntuple filters", " - tsnep: fix timestamping with a stacked DSA driver", " - ublk: fix dead loop when canceling io command", " - NFSv4/pnfs: Reset the layout state after a layoutreturn", " - dmaengine: Revert \"dmaengine: dmatest: Fix dmatest waiting less when", " interrupted\"", " - Revert \"kbuild, rust: use -fremap-path-prefix to make paths relative\"", " - udf: Make sure i_lenExtents is uptodate on inode eviction", " - HID: amd_sfh: Fix SRA sensor when it's the only sensor", " - LoongArch: Prevent cond_resched() occurring within kernel-fpu", " - LoongArch: Move __arch_cpu_idle() to .cpuidle.text section", " - LoongArch: Save and restore CSR.CNTC for hibernation", " - LoongArch: Fix MAX_REG_OFFSET calculation", " - LoongArch: uprobes: Remove user_{en,dis}able_single_step()", " - LoongArch: uprobes: Remove redundant code about resume_era", " - btrfs: fix discard worker infinite loop after disabling discard", " - btrfs: fix folio leak in submit_one_async_extent()", " - btrfs: add back warning for mount option commit values exceeding 300", " - Revert \"drm/amd/display: Hardware cursor changes color when switched to", " software cursor\"", " - drm/tiny: panel-mipi-dbi: Use drm_client_setup_with_fourcc()", " - drm/amdgpu: fix incorrect MALL size for GFX1151", " - drm/amd/display: Correct the reply value when AUX write incomplete", " - drm/amd/display: Avoid flooding unnecessary info messages", " - MAINTAINERS: Update Alexey Makhalov's email address", " - gpio: pca953x: fix IRQ storm on system wake up", " - ACPI: PPTT: Fix processor subtable walk", " - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2()", " - ALSA: usb-audio: Add sample rate quirk for Audioengine D1", " - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera", " - dma-buf: insert memory barrier before updating num_fences", " - arm64: dts: amlogic: dreambox: fix missing clkc_audio node", " - arm64: dts: rockchip: Allow Turing RK1 cooling fan to spin down", " - arm64: dts: rockchip: Remove overdrive-mode OPPs from RK3588J SoC dtsi", " - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages", " - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array", " - hv_netvsc: Remove rmsg_pgcnt", " - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges", " - Drivers: hv: vmbus: Remove vmbus_sendpacket_pagebuffer()", " - kbuild: Disable -Wdefault-const-init-unsafe", " - i2c: designware: Fix an error handling path in i2c_dw_pci_probe()", " - ftrace: Fix preemption accounting for stacktrace trigger command", " - ftrace: Fix preemption accounting for stacktrace filter command", " - x86/sev: Do not touch VMSA pages during SNP guest memory kdump", " - x86/sev: Make sure pages are not skipped during kdump", " - tracing: samples: Initialize trace_array_printk() with the correct", " function", " - phy: Fix error handling in tegra_xusb_port_init", " - net: dsa: microchip: let phylink manage PHY EEE configuration on KSZ", " switches", " - net: phy: micrel: remove KSZ9477 EEE quirks now handled by phylink", " - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind", " - phy: renesas: rcar-gen3-usb2: Set timing registers only once", " - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer", " - smb: client: fix memory leak during error handling for POSIX mkdir", " - spi: tegra114: Use value to check for invalid delays", " - tpm: Mask TPM RC in tpm2_start_auth_session()", " - wifi: mt76: mt7925: fix missing hdr_trans_tlv command for broadcast wtbl", " - ring-buffer: Fix persistent buffer when commit page is the reader page", " - net: qede: Initialize qede_ll_ops with designated initializer", " - io_uring/memmap: don't use page_address() on a highmem page", " - io_uring/uring_cmd: fix hybrid polling initialization issue", " - mm: hugetlb: fix incorrect fallback for subpool", " - mm: userfaultfd: correct dirty flags set for both present and swap pte", " - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure", " instead of a local copy", " - dmaengine: idxd: fix memory leak in error handling path of", " idxd_setup_wqs", " - dmaengine: idxd: fix memory leak in error handling path of", " idxd_setup_engines", " - dmaengine: idxd: fix memory leak in error handling path of", " idxd_setup_groups", " - dmaengine: idxd: Add missing cleanup for early error out in", " idxd_setup_internals", " - dmaengine: idxd: Add missing cleanups in cleanup internals", " - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove", " call", " - dmaengine: idxd: fix memory leak in error handling path of", " idxd_pci_probe", " - accel/ivpu: Use workqueue for IRQ handling", " - accel/ivpu: Dump only first MMU fault from single context", " - accel/ivpu: Move parts of MMU event IRQ handling to thread handler", " - accel/ivpu: Fix missing MMU events from reserved SSID", " - accel/ivpu: Fix missing MMU events if file_priv is unbound", " - accel/ivpu: Flush pending jobs of device's workqueues", " - drm/xe/gsc: do not flush the GSC worker from the reset path", " - perf tools: Fix build error for LoongArch", " - phy: tegra: xusb: remove a stray unlock", " - Linux 6.14.8", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38008", " - mm/page_alloc: fix race condition in unaccepted memory handling", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38014", " - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38015", " - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38005", " - dmaengine: ti: k3-udma: Add missing locking", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38009", " - wifi: mt76: disable napi on driver removal", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38010", " - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38011", " - drm/amdgpu: csa unmap use uninterruptible lock", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38016", " - HID: bpf: abort dispatch if device destroyed", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38012", " - sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38018", " - net/tls: fix kernel panic when alloc_page failed", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38019", " - mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38013", " - wifi: mac80211: Set n_channels after allocating struct", " cfg80211_scan_request", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38002", " - io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo()", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38027", " - regulator: max20086: fix invalid memory access", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38020", " - net/mlx5e: Disable MACsec offload for uplink representor profile", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38021", " - drm/amd/display: Fix null check of pipe_ctx->plane_state for", " update_dchubp_dpp", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38006", " - net: mctp: Don't access ifa_index when missing", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-37992", " - net_sched: Flush gso_skb list too during ->change()", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38022", " - RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\"", " problem", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38028", " - NFS/localio: Fix a race in nfs_local_open_fh()", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38023", " - nfs: handle failure of nfs_get_lock_context in unlock path", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38007", " - HID: uclogic: Add NULL check in uclogic_input_configured()", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38024", " - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug", "", " * Plucky update: v6.14.8 upstream stable release (LP: #2115266) //", " CVE-2025-38025", " - iio: adc: ad7606: check for NULL before calling sw_mode_config()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252)", " - dm: add missing unlock on in dm_keyslot_evict()", " - Revert \"btrfs: canonicalize the device path before adding it\"", " - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2", " - firmware: arm_scmi: Fix timeout checks on polling path", " - can: mcan: m_can_class_unregister(): fix order of unregistration calls", " - vfio/pci: Align huge faults to order", " - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls", " - can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls", " - s390/entry: Fix last breaking event handling in case of stack corruption", " - SAUCE: Revert \"sch_htb: make htb_deactivate() idempotent\"", " - sch_htb: make htb_deactivate() idempotent", " - virtio-net: don't re-enable refill work too early when NAPI is disabled", " - gre: Fix again IPv6 link-local address generation.", " - net: ethernet: mtk_eth_soc: reset all TX queues on DMA free", " - net: ethernet: mtk_eth_soc: do not reset PSE when setting FE", " - can: mcp251xfd: fix TDC setting for low data bit rates", " - can: gw: fix RCU/BH usage in cgw_create_job()", " - wifi: mac80211: fix the type of status_code for negotiated TID to Link", " Mapping", " - ice: use DSN instead of PCI BDF for ice_adapter index", " - erofs: ensure the extra temporary copy is valid for shortened bvecs", " - net: dsa: b53: allow leaky reserved multicast", " - net: dsa: b53: keep CPU port always tagged again", " - net: dsa: b53: fix clearing PVID of a port", " - net: dsa: b53: fix flushing old pvid VLAN on pvid change", " - net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave", " - net: dsa: b53: always rejoin default untagged VLAN on bridge leave", " - net: dsa: b53: do not allow to configure VLAN 0", " - net: dsa: b53: do not program vlans when vlan filtering is off", " - net: dsa: b53: fix toggling vlan_filtering", " - net: dsa: b53: fix learning on VLAN unaware bridges", " - net: dsa: b53: do not set learning and unicast/multicast on up", " - fbnic: Fix initialization of mailbox descriptor rings", " - fbnic: Gate AXI read/write enabling on FW mailbox", " - fbnic: Actually flush_tx instead of stalling out", " - fbnic: Cleanup handling of completions", " - fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready", " - fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context", " - fbnic: Do not allow mailbox to toggle to ready outside", " fbnic_mbx_poll_tx_ready", " - net: export a helper for adding up queue stats", " - virtio-net: fix total qstat values", " - Input: cyttsp5 - ensure minimum reset pulse width", " - Input: cyttsp5 - fix power control issue on wakeup", " - Input: xpad - fix Share button on Xbox One controllers", " - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller", " - Input: xpad - fix two controller table values", " - Input: synaptics - enable InterTouch on Dynabook Portege X30-D", " - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G", " - Input: synaptics - enable InterTouch on Dell Precision M3800", " - Input: synaptics - enable SMBus for HP Elitebook 850 G1", " - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5", " - rust: clean Rust 1.88.0's `unnecessary_transmutes` lint", " - objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0", " - rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros`", " configuration", " - uio_hv_generic: Fix sysfs creation path for ring buffer", " - staging: iio: adc: ad7816: Correct conditional logic for store mode", " - staging: axis-fifo: Remove hardware resets for user errors", " - staging: axis-fifo: Correct handling of tx_fifo_depth for size", " validation", " - mm: fix folio_pte_batch() on XEN PV", " - mm: vmalloc: support more granular vrealloc() sizing", " - mm/userfaultfd: fix uninitialized output field for -EAGAIN race", " - selftests/mm: compaction_test: support platform with huge mount of", " memory", " - selftests/mm: fix a build failure on powerpc", " - selftests/mm: fix build break when compiling pkey_util.c", " - KVM: x86/mmu: Prevent installing hugepages when mem attributes are", " changing", " - drm/amd/display: Shift DMUB AUX reply command if necessary", " - io_uring: ensure deferred completions are flushed for multishot", " - iio: adc: ad7768-1: Fix insufficient alignment of timestamp.", " - iio: adc: ad7266: Fix potential timestamp alignment issue.", " - iio: adc: ad7606: fix serial register access", " - iio: adc: rockchip: Fix clock initialization sequence", " - iio: adis16201: Correct inclinometer channel resolution", " - iio: chemical: sps30: use aligned_s64 for timestamp", " - iio: chemical: pms7003: use aligned_s64 for timestamp", " - iio: hid-sensor-prox: Restore lost scale assignments", " - iio: hid-sensor-prox: support multi-channel SCALE calculation", " - iio: hid-sensor-prox: Fix incorrect OFFSET calculation", " - iio: imu: inv_mpu6050: align buffer for timestamp", " - iio: pressure: mprls0025pa: use aligned_s64 for timestamp", " - Revert \"drm/amd: Stop evicting resources on APUs in suspend\"", " - drm/xe: Add page queue multiplier", " - drm/amdgpu: fix pm notifier handling", " - drm/amdgpu/vcn: using separate VCN1_AON_SOC offset", " - drm/amd/display: Fix the checking condition in dmub aux handling", " - drm/amd/display: Remove incorrect checking in dmub aux handler", " - drm/amd/display: Fix wrong handling for AUX_DEFER case", " - drm/amd/display: Copy AUX read reply data whenever length > 0", " - xhci: dbc: Avoid event polling busyloop if pending rx transfers are", " inactive.", " - usb: uhci-platform: Make the clock really optional", " - xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it", " - accel/ivpu: Increase state dump msg timeout", " - arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to", " prevent wrong idmap generation", " - clocksource/i8253: Use raw_spinlock_irqsave() in", " clockevent_i8253_disable()", " - x86/microcode: Consolidate the loader enablement checking", " - ocfs2: fix the issue with discontiguous allocation in the global_bitmap", " - ocfs2: switch osb->disable_recovery to enum", " - ocfs2: implement handshaking with ocfs2 recovery thread", " - ocfs2: stop quota recovery before disabling quotas", " - usb: dwc3: gadget: Make gadget_wakeup asynchronous", " - usb: cdnsp: Fix issue with resuming from L1", " - usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version", " - usb: gadget: f_ecm: Add get_status callback", " - usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN", " - usb: gadget: Use get_status callback to set remote wakeup capability", " - usb: host: tegra: Prevent host controller crash when OTG port is used", " - usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs", " - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition", " - USB: usbtmc: use interruptible sleep in usbtmc_read", " - usb: usbtmc: Fix erroneous get_stb ioctl error returns", " - usb: usbtmc: Fix erroneous wait_srq ioctl return", " - usb: usbtmc: Fix erroneous generic_read ioctl return", " - iio: imu: bmi270: fix initial sampling frequency configuration", " - iio: accel: adxl367: fix setting odr for activity time update", " - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer.", " - iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64", " - iio: adc: dln2: Use aligned_s64 for timestamp", " - timekeeping: Prevent coarse clocks going backwards", " - accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation", " - accel/ivpu: Correct mutex unlock order in job submission", " - MIPS: Fix MAX_REG_OFFSET", " - riscv: misaligned: Add handling for ZCB instructions", " - loop: factor out a loop_assign_backing_file helper", " - loop: Add sanity check for read/write_iter", " - drm/panel: simple: Update timings for AUO G101EVN010", " - nvme: unblock ctrl state transition for firmware update", " - riscv: misaligned: factorize trap handling", " - riscv: misaligned: enable IRQs while handling misaligned accesses", " - riscv: Disallow PR_GET_TAGGED_ADDR_CTRL without Supm", " - drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs", " - drm/xe: Release force wake first then runtime power", " - io_uring/sqpoll: Increase task_work submission batch size", " - do_umount(): add missing barrier before refcount checks in sync case", " - rust: allow Rust 1.87.0's `clippy::ptr_eq` lint", " - rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint", " - io_uring: always arm linked timeouts prior to issue", " - Bluetooth: btmtk: Remove the resetting step before downloading the fw", " - mm: page_alloc: don't steal single pages from biggest buddy", " - mm: page_alloc: speed up fallbacks in rmqueue_bulk()", " - arm64: insn: Add support for encoding DSB", " - arm64: proton-pack: Expose whether the platform is mitigated by firmware", " - arm64: proton-pack: Expose whether the branchy loop k value", " - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation", " - x86/bpf: Call branch history clearing sequence on exit", " - x86/bpf: Add IBHF call at end of classic BPF", " - x86/bhi: Do not set BHI_DIS_S in 32-bit mode", " - Documentation: x86/bugs/its: Add ITS documentation", " - x86/its: Enumerate Indirect Target Selection (ITS) bug", " - x86/its: Add support for ITS-safe indirect thunk", " - x86/its: Add support for ITS-safe return thunk", " - x86/its: Enable Indirect Target Selection mitigation", " - [Config] enable MITIGATION_ITS", " - x86/its: Add \"vmexit\" option to skip mitigation on some CPUs", " - x86/its: Add support for RSB stuffing mitigation", " - x86/its: Align RETs in BHB clear sequence to avoid thunking", " - x86/ibt: Keep IBT disabled during alternative patching", " - x86/its: Use dynamic thunks for indirect branches", " - selftest/x86/bugs: Add selftests for ITS", " - x86/its: Fix build errors when CONFIG_MODULES=n", " - x86/its: FineIBT-paranoid vs ITS", " - Linux 6.14.7", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37963", " - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37948", " - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37994", " - usb: typec: ucsi: displayport: Fix NULL pointer access", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37967", " - usb: typec: ucsi: displayport: Fix deadlock", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37950", " - ocfs2: fix panic in failed foilio allocation", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37995", " - module: ensure that kobject_put() is safe for module type kobjects", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37960", " - memblock: Accept allocated memory before use in memblock_double_array()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37996", " - KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37949", " - xenbus: Use kref to track req lifetime", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37954", " - smb: client: Avoid race in open_cached_dir with lease breaks", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37965", " - drm/amd/display: Fix invalid context error in dml helper", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37951", " - drm/v3d: Add job to pending list if the reset was skipped", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37968", " - iio: light: opt3001: fix deadlock due to concurrent flag access", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37969", " - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37970", " - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37966", " - riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37957", " - KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37958", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37964", " - x86/mm: Eliminate window where TLB flushes may be inadvertently skipped", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37971", " - staging: bcm2835-camera: Initialise dev in v4l2_dev", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37972", " - Input: mtk-pmic-keys - fix possible null pointer dereference", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37959", " - bpf: Scrub packet on bpf_redirect_peer", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37961", " - ipvs: fix uninit-value for saddr in do_output_route4", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37993", " - can: m_can: m_can_class_allocate_dev(): initialize spin lock on device", " probe", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37955", " - virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37962", " - ksmbd: fix memory leak in parse_lease_state()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37998", " - openvswitch: Fix unsafe attribute parsing in output_userspace()", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37952", " - ksmbd: Fix UAF in __close_file_table_ids", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37947", " - ksmbd: prevent out-of-bounds stream writes by validating *pos", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37956", " - ksmbd: prevent rename with empty string", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37973", " - wifi: cfg80211: fix out-of-bounds access during multi-link element", " defragmentation", "", " * Plucky update: v6.14.7 upstream stable release (LP: #2115252) //", " CVE-2025-37999", " - fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()", "", " * Creating a VXLAN interface with a Fan mapping causes a NULL pointer", " dereference caught by ubuntu_fan_smoke_test:sut-scan (LP: #2113992)", " - SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP attribute ID", "", " * [Regression Updates] \"PCI: Explicitly put devices into D0 when", " initializing\" breaks pci-pass-through in QEMU/KVM (LP: #2117494)", " - PCI/PM: Set up runtime PM even for devices without PCI PM", "", " * [UBUNTU 25.04] lszcrypt output shows no cards because ap module has to be", " loaded manually (LP: #2116061)", " - [Config] s390: Build ap driver into the kernel", "", " * CVE-2025-38083", " - net_sched: prio: fix a race in prio_tune()", "" ], "package": "linux", "version": "6.14.0-28.28", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2117649, 1786013, 2083800, 2116072, 2115898, 2115068, 2114516, 2113990, 2115022, 2114697, 2115174, 2114450, 2114258, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115266, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2115252, 2113992, 2117494, 2116061 ], "author": "Stefan Bader ", "date": "Wed, 23 Jul 2025 12:01:59 +0200" } ], "notes": "linux-modules-6.14.0-32-generic version '6.14.0-32.32' (source package linux version '6.14.0-32.32') was added. linux-modules-6.14.0-32-generic version '6.14.0-32.32' has the same source package name, linux, as removed package linux-modules-6.14.0-24-generic. As such we can use the source package version of the removed package, '6.14.0-24.24', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.14.0-24-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-24.24", "version": "6.14.0-24.24" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-24-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-24.24", "version": "6.14.0-24.24" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.04 plucky image from daily image serial 20250717 to 20250923", "from_series": "plucky", "to_series": "plucky", "from_serial": "20250717", "to_serial": "20250923", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }