{"schema_version":"1.7.2","id":"OESA-2025-2802","modified":"2025-12-12T12:19:30Z","published":"2025-12-12T12:19:30Z","upstream":["CVE-2024-38381","CVE-2024-38584","CVE-2024-38615","CVE-2024-38633","CVE-2024-38659","CVE-2024-38667","CVE-2024-40902","CVE-2024-40904","CVE-2024-41079","CVE-2024-42101","CVE-2024-42102","CVE-2024-42245","CVE-2024-42247","CVE-2024-42297","CVE-2024-49863","CVE-2024-49875","CVE-2024-49894","CVE-2024-49905","CVE-2024-49925","CVE-2024-49930","CVE-2024-49935","CVE-2024-49948","CVE-2024-49949","CVE-2024-49950","CVE-2024-49957","CVE-2024-49962","CVE-2024-50002","CVE-2024-50005","CVE-2024-53131","CVE-2024-57887","CVE-2024-57900","CVE-2024-58095","CVE-2025-21945","CVE-2025-21968","CVE-2025-22022","CVE-2025-22025","CVE-2025-22026","CVE-2025-22039","CVE-2025-22042","CVE-2025-22043","CVE-2025-23133","CVE-2025-37822","CVE-2025-37861","CVE-2025-37899","CVE-2025-37973","CVE-2025-37994","CVE-2025-37997","CVE-2025-38005","CVE-2025-38058","CVE-2025-38071","CVE-2025-38109","CVE-2025-38231","CVE-2025-38282","CVE-2025-38350","CVE-2025-38361","CVE-2025-38443","CVE-2025-38457","CVE-2025-38470","CVE-2025-38477","CVE-2025-38527","CVE-2025-38566","CVE-2025-38588","CVE-2025-38614","CVE-2025-38617","CVE-2025-38636","CVE-2025-38664","CVE-2025-38706","CVE-2025-38727","CVE-2025-39675","CVE-2025-39677","CVE-2025-39684","CVE-2025-39697","CVE-2025-39810","CVE-2025-39817","CVE-2025-39825","CVE-2025-39866","CVE-2025-39881","CVE-2025-39911","CVE-2025-39947","CVE-2025-39994","CVE-2025-39996","CVE-2025-40016","CVE-2025-40049","CVE-2025-40052","CVE-2025-40058","CVE-2025-40061","CVE-2025-40074","CVE-2025-40075","CVE-2025-40104","CVE-2025-40121","CVE-2025-40135","CVE-2025-40139","CVE-2025-40149","CVE-2025-40155","CVE-2025-40158"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.(CVE-2024-38381)\n\nIn the Linux kernel, the following vulnerability has been resolved:net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe()In the prueth_probe() function, if one of the calls to emac_phy_connect()fails due to of_phy_connect() returning NULL, then the subsequent call tophy_attached_info() will dereference a NULL pointer.Check the return code of emac_phy_connect and fail cleanly if there is anerror.(CVE-2024-38584)\n\nIn the Linux kernel, the following vulnerability has been resolved:cpufreq: exit() callback is optionalThe exit() callback is optional and shouldn t be called without checkinga valid pointer first.Also, we must clear freq_table pointer even if the exit() callback isn tpresent.(CVE-2024-38615)\n\nIn the Linux kernel, the following vulnerability has been resolved:serial: max3100: Update uart_driver_registered on driver removalThe removal of the last MAX3100 device triggers the removal ofthe driver. However, code doesn t update the respective globalvariable and after insmod — rmmod — insmod cycle the kerneloopses: max3100 spi-PRP0001:01: max3100_probe: adding port 0 BUG: kernel NULL pointer dereference, address: 0000000000000408 ... RIP: 0010:serial_core_register_port+0xa0/0x840 ... max3100_probe+0x1b6/0x280 [max3100] spi_probe+0x8d/0xb0Update the actual state so next time UART driver will be registeredagain.Hugo also noticed, that the error path in the probe also affectedby having the variable set, and not cleared. Instead of clearing itmove the assignment after the successfull uart_register_driver() call.(CVE-2024-38633)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nenic: Validate length of nl attributes in enic_set_vf_port\n\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.(CVE-2024-38659)\n\nIn the Linux kernel, the following vulnerability has been resolved:riscv: prevent pt_regs corruption for secondary idle threadsTop of the kernel thread stack should be reserved for pt_regs. Howeverthis is not the case for the idle threads of the secondary boot harts.Their stacks overlap with their pt_regs, so both may get corrupted.Similar issue has been fixed for the primary hart, see c7cdd96eca28( riscv: prevent stack corruption by reserving task_pt_regs(p) early ).However that fix was not propagated to the secondary harts. The problemhas been noticed in some CPU hotplug tests with V enabled. The functionsmp_callin stored several registers on stack, corrupting top of pt_regsstructure including status field. As a result, kernel attempted to saveor restore inexistent V context.(CVE-2024-38667)\n\nIn the Linux kernel, the following vulnerability has been resolved:jfs: xattr: fix buffer overflow for invalid xattrWhen an xattr size is not what is expected, it is printed out to thekernel log in hex format as a form of debugging. But when that xattrsize is bigger than the expected size, printing it out can cause anaccess off the end of the buffer.Fix this all up by properly restricting the size of the debug hex dumpin the kernel log.(CVE-2024-40902)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\n\nThe syzbot fuzzer found that the interrupt-URB completion callback in\nthe cdc-wdm driver was taking too long, and the driver's immediate\nresubmission of interrupt URBs with -EPROTO status combined with the\ndummy-hcd emulation to cause a CPU lockup:\n\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\nCPU#0 Utilization every 4s during lockup:\n\t#1: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#2: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#3: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#4: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#5: 98% system,\t 1% softirq,\t 3% hardirq,\t 0% idle\nModules linked in:\nirq event stamp: 73096\nhardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]\nhardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\nhardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]\nsoftirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\nsoftirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n\nTesting showed that the problem did not occur if the two error\nmessages -- the first two lines above -- were removed; apparently adding\nmaterial to the kernel log takes a surprisingly large amount of time.\n\nIn any case, the best approach for preventing these lockups and to\navoid spamming the log with thousands of error messages per second is\nto ratelimit the two dev_err() calls. Therefore we replace them with\ndev_err_ratelimited().(CVE-2024-40904)\n\nIn the Linux kernel, the following vulnerability has been resolved:nvmet: always initialize cqe.resultThe spec doesn t mandate that the first two double words (aka results)for the command queue entry need to be set to 0 when they are notused (not specified). Though, the target implemention returns 0 for TCPand FC but not for RDMA.Let s make RDMA behave the same and thus explicitly initializing theresult field. This prevents leaking any data from the stack.(CVE-2024-41079)\n\nIn the Linux kernel, the following vulnerability has been resolved:drm/nouveau: fix null pointer dereference in nouveau_connector_get_modesIn nouveau_connector_get_modes(), the return value of drm_mode_duplicate()is assigned to mode, which will lead to a possible NULL pointerdereference on failure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2024-42101)\n\nIn the Linux kernel, the following vulnerability has been resolved:Revert mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again Patch series mm: Avoid possible overflows in dirty throttling .Dirty throttling logic assumes dirty limits in page units fit into32-bits. This patch series makes sure this is true (see patch 2/2 formore details).This patch (of 2):This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.The commit is broken in several ways. Firstly, the removed (u64) castfrom the multiplication will introduce a multiplication overflow on 32-bitarchs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - thedefault settings with 4GB of RAM will trigger this). Secondly, thediv64_u64() is unnecessarily expensive on 32-bit archs. We havediv64_ul() in case we want to be safe & cheap. Thirdly, if dirtythresholds are larger than 1<<32 pages, then dirty balancing is going toblow up in many other spectacular ways anyway so trying to fix onepossible overflow is just moot.(CVE-2024-42102)\n\nIn the Linux kernel, the following vulnerability has been resolved:Revert sched/fair: Make sure to try to detach at least one movable task This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06.b0defa7ae03ec changed the load balancing logic to ignore env.max_loop ifall tasks examined to that point were pinned. The goal of the patch wasto make it more likely to be able to detach a task buried in a long listof pinned tasks. However, this has the unfortunate side effect ofcreating an O(n) iteration in detach_tasks(), as we now must fullyiterate every task on a cpu if all or most are pinned. Since this loadbalance code is done with rq lock held, and often in softirq context, itis very easy to trigger hard lockups. We observed such hard lockups witha user who affined O(10k) threads to a single cpu.When I discussed this with Vincent he initially suggested that we keepthe limit on the number of tasks to detach, but increase the number oftasks we can search. However, after some back and forth on the mailinglist, he recommended we instead revert the original patch, as it seemslikely no one was actually getting hit by the original issue.(CVE-2024-42245)\n\nIn the Linux kernel, the following vulnerability has been resolved:wireguard: allowedips: avoid unaligned 64-bit memory accessesOn the parisc platform, the kernel issues kernel warnings becauseswap_endian() tries to load a 128-bit IPv6 address from an unalignedmemory location: Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df) Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)Avoid such unaligned memory accesses by instead using theget_unaligned_be64() helper macro.[Jason: replace src[8] in original patch with src+8](CVE-2024-42247)\n\nIn the Linux kernel, the following vulnerability has been resolved:f2fs: fix to don t dirty inode for readonly filesystemsyzbot reports f2fs bug as below:kernel BUG at fs/f2fs/inode.c:933!RIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933Call Trace: evict+0x2a4/0x620 fs/inode.c:664 dispose_list fs/inode.c:697 [inline] evict_inodes+0x5f8/0x690 fs/inode.c:747 generic_shutdown_super+0x9d/0x2c0 fs/super.c:675 kill_block_super+0x44/0x90 fs/super.c:1667 kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894 deactivate_locked_super+0xc1/0x130 fs/super.c:484 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256 task_work_run+0x24a/0x300 kernel/task_work.c:180 ptrace_notify+0x2cd/0x380 kernel/signal.c:2399 ptrace_report_syscall include/linux/ptrace.h:411 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline] syscall_exit_work kernel/entry/common.c:251 [inline] syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296 do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88 entry_SYSCALL_64_after_hwframe+0x63/0x6bThe root cause is:- do_sys_open - f2fs_lookup - __f2fs_find_entry - f2fs_i_depth_write - f2fs_mark_inode_dirty_sync - f2fs_dirty_inode - set_inode_flag(inode, FI_DIRTY_INODE)- umount - kill_f2fs_super - kill_block_super - generic_shutdown_super - sync_filesystem : sb is readonly, skip sync_filesystem() - evict_inodes - iput - f2fs_evict_inode - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)) : trigger kernel panicWhen we try to repair i_current_depth in readonly filesystem, let sskip dirty inode to avoid panic in later f2fs_evict_inode().(CVE-2024-42297)\n\nIn the Linux kernel, the following vulnerability has been resolved:vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()Since commit 3f8ca2e115e5 ( vhost/scsi: Extract common handling codefrom control queue handler ) a null pointer dereference bug can betriggered when guest sends an SCSI AN request.In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with`&v_req.tmf.lun[1]` within a switch-case block and is then passed tovhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, fora `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` isset to NULL in this branch. Later, in vhost_scsi_get_req(),`vc->target` is dereferenced without being checked, leading to a nullpointer dereference bug. This bug can be triggered from guest.When this bug occurs, the vhost_worker process is killed while holding`vq->mutex` and the corresponding tpg will remain occupiedindefinitely.Below is the KASAN report:Oops: general protection fault, probably for non-canonical address0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTIKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS1.16.3-debian-1.16.3-2 04/01/2014RIP: 0010:vhost_scsi_get_req+0x165/0x3a0Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 0048 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b604 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00RSP: 0018:ffff888017affb50 EFLAGS: 00010246RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0Call Trace: <TASK> ? show_regs+0x86/0xa0 ? die_addr+0x4b/0xd0 ? exc_general_protection+0x163/0x260 ? asm_exc_general_protection+0x27/0x30 ? vhost_scsi_get_req+0x165/0x3a0 vhost_scsi_ctl_handle_vq+0x2a4/0xca0 ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10 ? __switch_to+0x721/0xeb0 ? __schedule+0xda5/0x5710 ? __kasan_check_write+0x14/0x30 ? _raw_spin_lock+0x82/0xf0 vhost_scsi_ctl_handle_kick+0x52/0x90 vhost_run_work_list+0x134/0x1b0 vhost_task_fn+0x121/0x350... </TASK>---[ end trace 0000000000000000 ]---Let s add a check in vhost_scsi_get_req.[whitespace fixes](CVE-2024-49863)\n\nIn the Linux kernel, the following vulnerability has been resolved:nfsd: map the EBADMSG to nfserr_io to avoid warningExt4 will throw -EBADMSG through ext4_readdir when a checksum erroroccurs, resulting in the following WARNING.Fix it by mapping EBADMSG to nfserr_io.nfsd_buffered_readdir iterate_dir // -EBADMSG -74 ext4_readdir // .iterate_shared ext4_dx_readdir ext4_htree_fill_tree htree_dirblock_to_tree ext4_read_dirblock __ext4_read_dirblock ext4_dirblock_csum_verify warn_no_space_for_csum __warn_no_space_for_csum return ERR_PTR(-EFSBADCRC) // -EBADMSG -74 nfserrno // WARNING[ 161.115610] ------------[ cut here ]------------[ 161.116465] nfsd: non-standard errno: -74[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0[ 161.118596] Modules linked in:[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[ 161.141519] PKRU: 55555554[ 161.142076] Call Trace:[ 161.142575] ? __warn+0x9b/0x140[ 161.143229] ? nfserrno+0x9d/0xd0[ 161.143872] ? report_bug+0x125/0x150[ 161.144595] ? handle_bug+0x41/0x90[ 161.145284] ? exc_invalid_op+0x14/0x70[ 161.146009] ? asm_exc_invalid_op+0x12/0x20[ 161.146816] ? nfserrno+0x9d/0xd0[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170[ 161.151004] ? generic_file_llseek_size+0x48/0x160[ 161.151895] nfsd_readdir+0x132/0x190[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380[ 161.153516] ? nfsd_unlink+0x380/0x380[ 161.154256] ? override_creds+0x45/0x60[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0[ 161.158494] ? lock_downgrade+0x90/0x90[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10[ 161.160092] nfsd4_encode_operation+0x15a/0x440[ 161.160959] nfsd4_proc_compound+0x718/0xe90[ 161.161818] nfsd_dispatch+0x18e/0x2c0[ 161.162586] svc_process_common+0x786/0xc50[ 161.163403] ? nfsd_svc+0x380/0x380[ 161.164137] ? svc_printk+0x160/0x160[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380[ 161.165808] ? nfsd_svc+0x380/0x380[ 161.166523] ? rcu_is_watching+0x23/0x40[ 161.167309] svc_process+0x1a5/0x200[ 161.168019] nfsd+0x1f5/0x380[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260[ 161.169554] kthread+0x1c4/0x210[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80[ 161.171246] ret_from_fork+0x1f/0x30(CVE-2024-49875)\n\nIn the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Fix index out of bounds in degamma hardware format translationFixes index out of bounds issue in`cm_helper_translate_curve_to_degamma_hw_format` function. The issuecould occur when the index i exceeds the number of transfer functionpoints (TRANSFER_FUNC_POINTS).The fix adds a check to ensure i is within bounds before accessing thetransfer function points. If i is out of bounds the function returnsfalse to indicate an error.Reported by smatch:drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow output_tf->tf_pts.red 1025 <= s32maxdrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow output_tf->tf_pts.green 1025 <= s32maxdrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow output_tf->tf_pts.blue 1025 <= s32max(CVE-2024-49894)\n\nIn the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Add null check for afb in amdgpu_dm_plane_handle_cursor_update (v2)This commit adds a null check for the afb variable in theamdgpu_dm_plane_handle_cursor_update function. Previously, afb wasassumed to be null, but was used later in the code without a null check.This could potentially lead to a null pointer dereference.Changes since v1:- Moved the null check for afb to the line where afb is used. (Alex)Fixes the below:drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed afb could be null (see line 1252)(CVE-2024-49905)\n\nIn the Linux kernel, the following vulnerability has been resolved:fbdev: efifb: Register sysfs groups through driver coreThe driver core can register and cleanup sysfs groups already.Make use of that functionality to simplify the error handling andcleanup.Also avoid a UAF race during unregistering where the sysctl attributeswere usable after the info struct was freed.(CVE-2024-49925)\n\nIn the Linux kernel, the following vulnerability has been resolved:wifi: ath11k: fix array out-of-bound access in SoC statsCurrently, the ath11k_soc_dp_stats::hal_reo_error array is defined with amaximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx()function access ath11k_soc_dp_stats::hal_reo_error using the REOdestination SRNG ring ID, which is incorrect. SRNG ring ID differ fromnormal ring ID, and this usage leads to out-of-bounds array access. To fixthis issue, modify ath11k_dp_process_rx() to use the normal ring IDdirectly instead of the SRNG ring ID to avoid out-of-bounds array access.Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1(CVE-2024-49930)\n\nIn the Linux kernel, the following vulnerability has been resolved:ACPI: PAD: fix crash in exit_round_robin()The kernel occasionally crashes in cpumask_clear_cpu(), which is calledwithin exit_round_robin(), because when executing clear_bit(nr, addr) withnr set to 0xffffffff, the address calculation may cause misalignment withinthe memory, leading to access to an invalid memory address.----------BUG: unable to handle kernel paging request at ffffffffe0740618 ...CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 ...RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000eR13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000eFS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400PKRU: 55555554Call Trace: ? acpi_pad_add+0x120/0x120 [acpi_pad] kthread+0x10b/0x130 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x40 ...CR2: ffffffffe0740618crash> dis -lr ffffffffc0726923 .../usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 1140xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 3250xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 800xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits>crash> px tsk_in_cpu[14]$66 = 0xffffffffcrash> px 0xffffffffc072692c+0x19cf4$99 = 0xffffffffc0740620crash> sym 0xffffffffc0740620ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]crash> px pad_busy_cpus_bits[0]$42 = 0xfffc0----------To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before callingcpumask_clear_cpu() in exit_round_robin(), just as it is done inround_robin_cpu().[ rjw: Subject edit, avoid updates to the same value ](CVE-2024-49935)\n\nIn the Linux kernel, the following vulnerability has been resolved:net: add more sanity checks to qdisc_pkt_len_init()One path takes care of SKB_GSO_DODGY, assumingskb->len is bigger than hdr_len.virtio_net_hdr_to_skb() does not fully dissect TCP headers,it only make sure it is at least 20 bytes.It is possible for an user to provide a malicious GSO packet,total length of 80 bytes.- 20 bytes of IPv4 header- 60 bytes TCP header- a small gso_size like 8virtio_net_hdr_to_skb() would declare this packet as a normalGSO packet, because it would see 40 bytes of payload,bigger than gso_size.We need to make detect this case to not underflowqdisc_skb_cb(skb)->pkt_len.(CVE-2024-49948)\n\nIn the Linux kernel, the following vulnerability has been resolved:net: avoid potential underflow in qdisc_pkt_len_init() with UFOAfter commit 7c6d2ecbda83 ( net: be more gentle about silly gsorequests coming from user ) virtio_net_hdr_to_skb() had sanity checkto detect malicious attempts from user space to cook a bad GSO packet.Then commit cf9acc90c80ec ( net: virtio_net_hdr_to_skb: counttransport header in UFO ) while fixing one issue, allowed user spaceto cook a GSO packet with the following characteristic :IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.When this packet arrives in qdisc_pkt_len_init(), we end upwith hdr_len = 28 (IPv4 header + UDP header), matching skb->lenThen the following sets gso_segs to 0 :gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size);Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;This leads to the following crash in fq_codel [1]qdisc_pkt_len_init() is best effort, we only want an estimationof the bytes sent on the wire, not crashing the kernel.This patch is fixing this particular issue, a following oneadds more sanity checks for another potential bug.[1][ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000[ 70.724561] #PF: supervisor read access in kernel mode[ 70.724561] #PF: error_code(0x0000) - not-present page[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49All code======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WBCode starting with the faulting instruction=========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C---truncated---(CVE-2024-49949)\n\nIn the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix uaf in l2cap_connect[Syzbot reported]BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024Workqueue: hci2 hci_rx_workCall Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline] l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244...Freed by task 5245: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x12a/0x3b0 mm/slub.c:4598 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline] l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244(CVE-2024-49950)\n\nIn the Linux kernel, the following vulnerability has been resolved:ocfs2: fix null-ptr-deref when journal load failed.During the mounting process, if journal_reset() fails because of too shortjournal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. Subsequently, ocfs2_journal_shutdown() callsjbd2_journal_flush()->jbd2_cleanup_journal_tail()->__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail()->lock_buffer(journal->j_sb_buffer), resulting in a null-pointerdereference error.To resolve this issue, we should check the JBD2_LOADED flag to ensure thejournal was properly loaded. Additionally, use journal instead ofosb->journal directly to simplify the code.(CVE-2024-49957)\n\nIn the Linux kernel, the following vulnerability has been resolved:ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will causeNULL pointer dereference later.[ rjw: Subject and changelog edits ](CVE-2024-49962)\n\nIn the Linux kernel, the following vulnerability has been resolved:static_call: Handle module init failure correctly in static_call_del_module()Module insertion invokes static_call_add_module() to initialize the staticcalls in a module. static_call_add_module() invokes __static_call_init(),which allocates a struct static_call_mod to either encapsulate the built-instatic call sites of the associated key into it so further modules can beadded or to append the module to the module chain.If that allocation fails the function returns with an error code and themodule core invokes static_call_del_module() to clean up eventually addedstatic_call_mod entries.This works correctly, when all keys used by the module were converted overto a module chain before the failure. If not then static_call_del_module()causes a #GP as it blindly assumes that key::mods points to a valid structstatic_call_mod.The problem is that key::mods is not a individual struct member of structstatic_call_key, it s part of a union to save space: union { /* bit 0: 0 = mods, 1 = sites */ unsigned long type; struct static_call_mod *mods; struct static_call_site *sites; };key::sites is a pointer to the list of built-in usage sites of the staticcall. The type of the pointer is differentiated by bit 0. A mods pointerhas the bit clear, the sites pointer has the bit set.As static_call_del_module() blidly assumes that the pointer is a validstatic_call_mod type, it fails to check for this failure case anddereferences the pointer to the list of built-in call sites, which isobviously bogus.Cure it by checking whether the key has a sites or a mods pointer.If it s a sites pointer then the key is not to be touched. As the sites arewalked in the same order as in __static_call_init() the site walk can beterminated because all subsequent sites have not been touched by the initcode due to the error exit.If it was converted before the allocation fail, then the inner loop whichsearches for a module match will find nothing.A fail in the second allocation in __static_call_init() is harmless anddoes not require special treatment. The first allocation succeeded andconverted the key to a module chain. That first entry has mod::mod == NULLand mod::next == NULL, so the inner loop of static_call_del_module() willneither find a module match nor a module chain. The next site in the walkwas either already converted, but can t match the module, or it will exitthe outer loop because it has a static_call_site pointer and not astatic_call_mod pointer.(CVE-2024-50002)\n\nIn the Linux kernel, the following vulnerability has been resolved:mac802154: Fix potential RCU dereference issue in mac802154_scan_workerIn the `mac802154_scan_worker` function, the `scan_req->type` field wasaccessed after the RCU read-side critical section was unlocked. Accordingto RCU usage rules, this is illegal and can lead to unpredictablebehavior, such as accessing memory that has been updated or causinguse-after-free issues.This possible bug was identified using a static analysis tool developedby myself, specifically designed to detect RCU-related issues.To address this, the `scan_req->type` value is now stored in a localvariable `scan_req_type` while still within the RCU read-side criticalsection. The `scan_req_type` is then used after the RCU lock is released,ensuring that the type value is safely accessed without violating RCUrules.(CVE-2024-50005)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix null-ptr-deref in block_touch_buffer tracepoint\n\nPatch series "nilfs2: fix null-ptr-deref bugs on block tracepoints".\n\nThis series fixes null pointer dereference bugs that occur when using\nnilfs2 and two block-related tracepoints.\n\n\nThis patch (of 2):\n\nIt has been reported that when using "block:block_touch_buffer"\ntracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a\nNULL pointer dereference, or a general protection fault when KASAN is\nenabled.\n\nThis happens because since the tracepoint was added in touch_buffer(), it\nreferences the dev_t member bh->b_bdev->bd_dev regardless of whether the\nbuffer head has a pointer to a block_device structure. In the current\nimplementation, the block_device structure is set after the function\nreturns to the caller.\n\nHere, touch_buffer() is used to mark the folio/page that owns the buffer\nhead as accessed, but the common search helper for folio/page used by the\ncaller function was optimized to mark the folio/page as accessed when it\nwas reimplemented a long time ago, eliminating the need to call\ntouch_buffer() here in the first place.\n\nSo this solves the issue by eliminating the touch_buffer() call itself.(CVE-2024-53131)\n\nIn the Linux kernel, the following vulnerability has been resolved:drm: adv7511: Fix use-after-free in adv7533_attach_dsi()The host_node pointer was assigned and freed in adv7533_parse_dt(), andlater, adv7533_attach_dsi() uses the same. Fix this use-after-free issueby dropping of_node_put() in adv7533_parse_dt() and calling of_node_put()in error path of probe() and also in the remove().(CVE-2024-57887)\n\nIn the Linux kernel, the following vulnerability has been resolved:ila: serialize calls to nf_register_net_hooks()syzbot found a race in ila_add_mapping() [1]commit 031ae72825ce ( ila: call nf_unregister_net_hooks() sooner )attempted to fix a similar issue.Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.Add a mutex to make sure at most one thread is calling nf_register_net_hooks().[1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049(CVE-2024-57900)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\njfs: add check read-only before txBeginAnon() call\n\nAdded a read-only check before calling `txBeginAnon` in `extAlloc`\nand `extRecord`. This prevents modification attempts on a read-only\nmounted filesystem, avoiding potential errors or crashes.\n\nCall trace:\n txBeginAnon+0xac/0x154\n extAlloc+0xe8/0xdec fs/jfs/jfs_extent.c:78\n jfs_get_block+0x340/0xb98 fs/jfs/inode.c:248\n __block_write_begin_int+0x580/0x166c fs/buffer.c:2128\n __block_write_begin fs/buffer.c:2177 [inline]\n block_write_begin+0x98/0x11c fs/buffer.c:2236\n jfs_write_begin+0x44/0x88 fs/jfs/inode.c:299(CVE-2024-58095)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb2_lock\n\nIf smb_lock->zero_len has value, ->llist of smb_lock is not delete and\nflock is old one. It will cause use-after-free on error handling\nroutine.(CVE-2025-21945)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix slab-use-after-free on hdcp_work\n\n[Why]\nA slab-use-after-free is reported when HDCP is destroyed but the\nproperty_validate_dwork queue is still running.\n\n[How]\nCancel the delayed work when destroying workqueue.\n\n(cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128)(CVE-2025-21968)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt's possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don't know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial "PCIe splitter" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit's not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---(CVE-2025-22022)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: put dl_stid if fail to queue dl_recall\n\nBefore calling nfsd4_run_cb to queue dl_recall to the callback_wq, we\nincrement the reference count of dl_stid.\nWe expect that after the corresponding work_struct is processed, the\nreference count of dl_stid will be decremented through the callback\nfunction nfsd4_cb_recall_release.\nHowever, if the call to nfsd4_run_cb fails, the incremented reference\ncount of dl_stid will not be decremented correspondingly, leading to the\nfollowing nfs4_stid leak:\nunreferenced object 0xffff88812067b578 (size 344):\n comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)\n hex dump (first 32 bytes):\n 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........\n 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..\n backtrace:\n kmem_cache_alloc+0x4b9/0x700\n nfsd4_process_open1+0x34/0x300\n nfsd4_open+0x2d1/0x9d0\n nfsd4_proc_compound+0x7a2/0xe30\n nfsd_dispatch+0x241/0x3e0\n svc_process_common+0x5d3/0xcc0\n svc_process+0x2a3/0x320\n nfsd+0x180/0x2e0\n kthread+0x199/0x1d0\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1b/0x30\nunreferenced object 0xffff8881499f4d28 (size 368):\n comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....\n 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......\n backtrace:\n kmem_cache_alloc+0x4b9/0x700\n nfs4_alloc_stid+0x29/0x210\n alloc_init_deleg+0x92/0x2e0\n nfs4_set_delegation+0x284/0xc00\n nfs4_open_delegation+0x216/0x3f0\n nfsd4_process_open2+0x2b3/0xee0\n nfsd4_open+0x770/0x9d0\n nfsd4_proc_compound+0x7a2/0xe30\n nfsd_dispatch+0x241/0x3e0\n svc_process_common+0x5d3/0xcc0\n svc_process+0x2a3/0x320\n nfsd+0x180/0x2e0\n kthread+0x199/0x1d0\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1b/0x30\nFix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if\nfail to queue dl_recall.(CVE-2025-22025)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: don't ignore the return code of svc_proc_register()\n\nCurrently, nfsd_proc_stat_init() ignores the return value of\nsvc_proc_register(). If the procfile creation fails, then the kernel\nwill WARN when it tries to remove the entry later.\n\nFix nfsd_proc_stat_init() to return the same type of pointer as\nsvc_proc_register(), and fix up nfsd_net_init() to check that and fail\nthe nfsd_net construction if it occurs.\n\nsvc_proc_register() can fail if the dentry can't be allocated, or if an\nidentical dentry already exists. The second case is pretty unlikely in\nthe nfsd_net construction codepath, so if this happens, return -ENOMEM.(CVE-2025-22026)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix overflow in dacloffset bounds check\n\nThe dacloffset field was originally typed as int and used in an\nunchecked addition, which could overflow and bypass the existing\nbounds check in both smb_check_perm_dacl() and smb_inherit_dacl().\n\nThis could result in out-of-bounds memory access and a kernel crash\nwhen dereferencing the DACL pointer.\n\nThis patch converts dacloffset to unsigned int and uses\ncheck_add_overflow() to validate access to the DACL.(CVE-2025-22039)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add bounds check for create lease context\n\nAdd missing bounds check for create lease context.(CVE-2025-22042)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add bounds check for durable handle context\n\nAdd missing bounds check for durable handle context.(CVE-2025-22043)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: update channel list in reg notifier instead reg worker\n\nCurrently when ath11k gets a new channel list, it will be processed\naccording to the following steps:\n1. update new channel list to cfg80211 and queue reg_work.\n2. cfg80211 handles new channel list during reg_work.\n3. update cfg80211's handled channel list to firmware by\nath11k_reg_update_chan_list().\n\nBut ath11k will immediately execute step 3 after reg_work is just\nqueued. Since step 2 is asynchronous, cfg80211 may not have completed\nhandling the new channel list, which may leading to an out-of-bounds\nwrite error:\nBUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list\nCall Trace:\n ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]\n kfree+0x109/0x3a0\n ath11k_regd_update+0x1cf/0x350 [ath11k]\n ath11k_regd_update_work+0x14/0x20 [ath11k]\n process_one_work+0xe35/0x14c0\n\nShould ensure step 2 is completely done before executing step 3. Thus\nWen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,\ncfg80211 will notify ath11k after step 2 is done.\n\nSo enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will\nnotify ath11k after step 2 is done. At this time, there will be no\nKASAN bug during the execution of the step 3.\n\n[1] https://patchwork.kernel.org/project/linux-wireless/patch/(CVE-2025-23133)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nriscv: uprobes: Add missing fence.i after building the XOL buffer\n\nThe XOL (execute out-of-line) buffer is used to single-step the\nreplaced instruction(s) for uprobes. The RISC-V port was missing a\nproper fence.i (i$ flushing) after constructing the XOL buffer, which\ncan result in incorrect execution of stale/broken instructions.\n\nThis was found running the BPF selftests "test_progs:\nuprobe_autoattach, attach_probe" on the Spacemit K1/X60, where the\nuprobes tests randomly blew up.(CVE-2025-37822)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue\n\nWhen the task management thread processes reply queues while the reset\nthread resets them, the task management thread accesses an invalid queue ID\n(0xFFFF), set by the reset thread, which points to unallocated memory,\ncausing a crash.\n\nAdd flag 'io_admin_reset_sync' to synchronize access between the reset,\nI/O, and admin threads. Before a reset, the reset handler sets this flag to\nblock I/O and admin processing threads. If any thread bypasses the initial\ncheck, the reset thread waits up to 10 seconds for processing to finish. If\nthe wait exceeds 10 seconds, the controller is marked as unrecoverable.(CVE-2025-37861)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in session logoff\n\nThe sess->user object can currently be in use by another thread, for\nexample if another connection has sent a session setup request to\nbind to the session being free'd. The handler for that connection could\nbe in the smb2_sess_setup function which makes use of sess->user.(CVE-2025-37899)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation\n\nCurrently during the multi-link element defragmentation process, the\nmulti-link element length added to the total IEs length when calculating\nthe length of remaining IEs after the multi-link element in\ncfg80211_defrag_mle(). This could lead to out-of-bounds access if the\nmulti-link element or its corresponding fragment elements are the last\nelements in the IEs buffer.\n\nTo address this issue, correctly calculate the remaining IEs length by\ndeducting the multi-link element end offset from total IEs end offset.(CVE-2025-37973)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: displayport: Fix NULL pointer access\n\nThis patch ensures that the UCSI driver waits for all pending tasks in the\nucsi_displayport_work workqueue to finish executing before proceeding with\nthe partner removal.(CVE-2025-37994)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: fix region locking in hash types\n\nRegion locking introduced in v5.6-rc4 contained three macros to handle\nthe region locks: ahash_bucket_start(), ahash_bucket_end() which gave\nback the start and end hash bucket values belonging to a given region\nlock and ahash_region() which should give back the region lock belonging\nto a given hash bucket. The latter was incorrect which can lead to a\nrace condition between the garbage collector and adding new elements\nwhen a hash type of set is defined with timeouts.(CVE-2025-37997)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma: Add missing locking\n\nRecent kernels complain about a missing lock in k3-udma.c when the lock\nvalidator is enabled:\n\n[ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238\n[ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28\n[ 4.144867] Hardware name: pp-v12 (DT)\n[ 4.148648] Workqueue: events udma_check_tx_completion\n[ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 4.160834] pc : udma_start.isra.0+0x34/0x238\n[ 4.165227] lr : udma_start.isra.0+0x30/0x238\n[ 4.169618] sp : ffffffc083cabcf0\n[ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005\n[ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000\n[ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670\n[ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030\n[ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048\n[ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001\n[ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68\n[ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8\n[ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000\n[ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000\n[ 4.244986] Call trace:\n[ 4.247463] udma_start.isra.0+0x34/0x238\n[ 4.251509] udma_check_tx_completion+0xd0/0xdc\n[ 4.256076] process_one_work+0x244/0x3fc\n[ 4.260129] process_scheduled_works+0x6c/0x74\n[ 4.264610] worker_thread+0x150/0x1dc\n[ 4.268398] kthread+0xd8/0xe8\n[ 4.271492] ret_from_fork+0x10/0x20\n[ 4.275107] irq event stamp: 220\n[ 4.278363] hardirqs last enabled at (219): [<ffffffc080a27c7c>] _raw_spin_unlock_irq+0x38/0x50\n[ 4.287183] hardirqs last disabled at (220): [<ffffffc080a1c154>] el1_dbg+0x24/0x50\n[ 4.294879] softirqs last enabled at (182): [<ffffffc080037e68>] handle_softirqs+0x1c0/0x3cc\n[ 4.303437] softirqs last disabled at (177): [<ffffffc080010170>] __do_softirq+0x1c/0x28\n[ 4.311559] ---[ end trace 0000000000000000 ]---\n\nThis commit adds the missing locking.(CVE-2025-38005)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\n__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock\n\n... or we risk stealing final mntput from sync umount - raising mnt_count\nafter umount(2) has verified that victim is not busy, but before it\nhas set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see\nthat it's safe to quietly undo mnt_count increment and leaves dropping\nthe reference to caller, where it'll be a full-blown mntput().\n\nCheck under mount_lock is needed; leaving the current one done before\ntaking that makes no sense - it's nowhere near common enough to bother\nwith.(CVE-2025-38058)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Check return value from memblock_phys_alloc_range()\n\nAt least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of\ncontiguous free memory available at this point, the kernel will crash\nand burn because memblock_phys_alloc_range() returns 0 on failure,\nwhich leads memblock_phys_free() to throw the first 4 MiB of physical\nmemory to the wolves.\n\nAt a minimum it should fail gracefully with a meaningful diagnostic,\nbut in fact everything seems to work fine without the weird reserve\nallocation.(CVE-2025-38071)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix ECVF vports unload on shutdown flow\n\nFix shutdown flow UAF when a virtual function is created on the embedded\nchip (ECVF) of a BlueField device. In such case the vport acl ingress\ntable is not properly destroyed.\n\nECVF functionality is independent of ecpf_vport_exists capability and\nthus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not\ntest it when enabling/disabling ECVF vports.\n\nkernel log:\n[] refcount_t: underflow; use-after-free.\n[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28\n refcount_warn_saturate+0x124/0x220\n----------------\n[] Call trace:\n[] refcount_warn_saturate+0x124/0x220\n[] tree_put_node+0x164/0x1e0 [mlx5_core]\n[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]\n[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]\n[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]\n[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]\n[] esw_vport_cleanup+0x64/0x90 [mlx5_core]\n[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]\n[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]\n[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]\n[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]\n[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]\n[] mlx5_unload+0x40/0xc4 [mlx5_core]\n[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]\n[] mlx5_unload_one+0x3c/0x60 [mlx5_core]\n[] shutdown+0x7c/0xa4 [mlx5_core]\n[] pci_device_shutdown+0x3c/0xa0\n[] device_shutdown+0x170/0x340\n[] __do_sys_reboot+0x1f4/0x2a0\n[] __arm64_sys_reboot+0x2c/0x40\n[] invoke_syscall+0x78/0x100\n[] el0_svc_common.constprop.0+0x54/0x184\n[] do_el0_svc+0x30/0xac\n[] el0_svc+0x48/0x160\n[] el0t_64_sync_handler+0xa4/0x12c\n[] el0t_64_sync+0x1a4/0x1a8\n[] --[ end trace 9c4601d68c70030e ]---(CVE-2025-38109)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Initialize ssc before laundromat_work to prevent NULL dereference\n\nIn nfs4_state_start_net(), laundromat_work may access nfsd_ssc through\nnfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized,\nthis can cause NULL pointer dereference.\n\nNormally the delayed start of laundromat_work allows sufficient time for\nnfsd_ssc initialization to complete. However, when the kernel waits too\nlong for userspace responses (e.g. in nfs4_state_start_net ->\nnfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done ->\ncld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the\ndelayed work may start before nfsd_ssc initialization finishes.\n\nFix this by moving nfsd_ssc initialization before starting laundromat_work.(CVE-2025-38231)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Relax constraint in draining guard\n\nThe active reference lifecycle provides the break/unbreak mechanism but\nthe active reference is not truly active after unbreak -- callers don't\nuse it afterwards but it's important for proper pairing of kn->active\ncounting. Assuming this mechanism is in place, the WARN check in\nkernfs_should_drain_open_files() is too sensitive -- it may transiently\ncatch those (rightful) callers between\nkernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen\nRidong:\n\n\tkernfs_remove_by_name_ns\tkernfs_get_active // active=1\n\t__kernfs_remove\t\t\t\t\t // active=0x80000002\n\tkernfs_drain\t\t\t...\n\twait_event\n\t//waiting (active == 0x80000001)\n\t\t\t\t\tkernfs_break_active_protection\n\t\t\t\t\t// active = 0x80000001\n\t// continue\n\t\t\t\t\tkernfs_unbreak_active_protection\n\t\t\t\t\t// active = 0x80000002\n\t...\n\tkernfs_should_drain_open_files\n\t// warning occurs\n\t\t\t\t\tkernfs_put_active\n\nTo avoid the false positives (mind panic_on_warn) remove the check altogether.\n(This is meant as quick fix, I think active reference break/unbreak may be\nsimplified with larger rework.)(CVE-2025-38282)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes' dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent's parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n tc qdisc add dev lo root handle 1: drr\n tc filter add dev lo parent 1: basic classid 1:1\n tc class add dev lo parent 1: classid 1:1 drr\n tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n tc qdisc add dev lo parent 2:1 handle 3: netem\n tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n tc class delete dev lo classid 1:1\n echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent.(CVE-2025-38350)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check dce_hwseq before dereferencing it\n\n[WHAT]\n\nhws was checked for null earlier in dce110_blank_stream, indicating hws\ncan be null, and should be checked whenever it is used.\n\n(cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad)(CVE-2025-38361)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_genl_connect() error path\n\nThere is a use-after-free issue in nbd:\n\nblock nbd6: Receive control failed (result -104)\nblock nbd6: shutting down sockets\n==================================================================\nBUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022\nWrite of size 4 at addr ffff8880295de478 by task kworker/u33:0/67\n\nCPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: nbd6-recv recv_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline]\n recv_work+0x694/0xa80 drivers/block/nbd.c:1022\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n </TASK>\n\nnbd_genl_connect() does not properly stop the device on certain\nerror paths after nbd_start_device() has been called. This causes\nthe error path to put nbd->config while recv_work continue to use\nthe config after putting it, leading to use-after-free in recv_work.\n\nThis patch moves nbd_start_device() after the backend file creation.(CVE-2025-38443)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Abort __tc_modify_qdisc if parent class does not exist\n\nLion's patch [1] revealed an ancient bug in the qdisc API.\nWhenever a user creates/modifies a qdisc specifying as a parent another\nqdisc, the qdisc API will, during grafting, detect that the user is\nnot trying to attach to a class and reject. However grafting is\nperformed after qdisc_create (and thus the qdiscs' init callback) is\nexecuted. In qdiscs that eventually call qdisc_tree_reduce_backlog\nduring init or change (such as fq, hhf, choke, etc), an issue\narises. For example, executing the following commands:\n\nsudo tc qdisc add dev lo root handle a: htb default 2\nsudo tc qdisc add dev lo parent a: handle beef fq\n\nQdiscs such as fq, hhf, choke, etc unconditionally invoke\nqdisc_tree_reduce_backlog() in their control path init() or change() which\nthen causes a failure to find the child class; however, that does not stop\nthe unconditional invocation of the assumed child qdisc's qlen_notify with\na null class. All these qdiscs make the assumption that class is non-null.\n\nThe solution is ensure that qdisc_leaf() which looks up the parent\nclass, and is invoked prior to qdisc_create(), should return failure on\nnot finding the class.\nIn this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the\nparentid doesn't correspond to a class, so that we can detect it\nearlier on and abort before qdisc_create is called.\n\n[1] https://lore.kernel.org/netdev/(CVE-2025-38457)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime\n\nAssuming the "rx-vlan-filter" feature is enabled on a net device, the\n8021q module will automatically add or remove VLAN 0 when the net device\nis put administratively up or down, respectively. There are a couple of\nproblems with the above scheme.\n\nThe first problem is a memory leak that can happen if the "rx-vlan-filter"\nfeature is disabled while the device is running:\n\n # ip link add bond1 up type bond mode 0\n # ethtool -K bond1 rx-vlan-filter off\n # ip link del dev bond1\n\nWhen the device is put administratively down the "rx-vlan-filter"\nfeature is disabled, so the 8021q module will not remove VLAN 0 and the\nmemory will be leaked [1].\n\nAnother problem that can happen is that the kernel can automatically\ndelete VLAN 0 when the device is put administratively down despite not\nadding it when the device was put administratively up since during that\ntime the "rx-vlan-filter" feature was disabled. null-ptr-unref or\nbug_on[2] will be triggered by unregister_vlan_dev() for refcount\nimbalance if toggling filtering during runtime:\n\n$ ip link add bond0 type bond mode 0\n$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q\n$ ethtool -K bond0 rx-vlan-filter off\n$ ifconfig bond0 up\n$ ethtool -K bond0 rx-vlan-filter on\n$ ifconfig bond0 down\n$ ip link del vlan0\n\nRoot cause is as below:\nstep1: add vlan0 for real_dev, such as bond, team.\nregister_vlan_dev\n vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1\nstep2: disable vlan filter feature and enable real_dev\nstep3: change filter from 0 to 1\nvlan_device_event\n vlan_filter_push_vids\n ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0\nstep4: real_dev down\nvlan_device_event\n vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0\n vlan_info_rcu_free //free vlan0\nstep5: delete vlan0\nunregister_vlan_dev\n BUG_ON(!vlan_info); //vlan_info is null\n\nFix both problems by noting in the VLAN info whether VLAN 0 was\nautomatically added upon NETDEV_UP and based on that decide whether it\nshould be deleted upon NETDEV_DOWN, regardless of the state of the\n"rx-vlan-filter" feature.\n\n[1]\nunreferenced object 0xffff8880068e3100 (size 256):\n comm "ip", pid 384, jiffies 4296130254\n hex dump (first 32 bytes):\n 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 81ce31fa):\n __kmalloc_cache_noprof+0x2b5/0x340\n vlan_vid_add+0x434/0x940\n vlan_device_event.cold+0x75/0xa8\n notifier_call_chain+0xca/0x150\n __dev_notify_flags+0xe3/0x250\n rtnl_configure_link+0x193/0x260\n rtnl_newlink_create+0x383/0x8e0\n __rtnl_newlink+0x22c/0xa40\n rtnl_newlink+0x627/0xb00\n rtnetlink_rcv_msg+0x6fb/0xb70\n netlink_rcv_skb+0x11f/0x350\n netlink_unicast+0x426/0x710\n netlink_sendmsg+0x75a/0xc20\n __sock_sendmsg+0xc1/0x150\n ____sys_sendmsg+0x5aa/0x7b0\n ___sys_sendmsg+0xfc/0x180\n\n[2]\nkernel BUG at net/8021q/vlan.c:99!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))\nRSP: 0018:ffff88810badf310 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8\nRBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80\nR10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000\nR13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e\nFS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0\nCall Trace:\n <TASK\n---truncated---(CVE-2025-38470)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when 'agg' is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats.(CVE-2025-38477)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n cifs_oplock_break()\n _cifsFileInfo_put(cfile)\n cifsFileInfo_put_final()\n cifs_sb_deactive()\n [last ref, start releasing sb]\n kill_sb()\n kill_anon_super()\n generic_shutdown_super()\n evict_inodes()\n dispose_list()\n evict()\n destroy_inode()\n call_rcu(&inode->i_rcu, i_callback)\n spin_lock(&cinode->open_file_lock) <- OK\n [later] i_callback()\n cifs_free_inode()\n kmem_cache_free(cinode)\n spin_unlock(&cinode->open_file_lock) <- UAF\n cifs_done_oplock_break(cinode) <- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes.(CVE-2025-38527)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator's kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert's level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv.(CVE-2025-38566)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent infinite loop in rt6_nlmsg_size()\n\nWhile testing prior patch, I was able to trigger\nan infinite loop in rt6_nlmsg_size() in the following place:\n\nlist_for_each_entry_rcu(sibling, &f6i->fib6_siblings,\n\t\t\tfib6_siblings) {\n\trt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);\n}\n\nThis is because fib6_del_route() and fib6_add_rt2node()\nuses list_del_rcu(), which can confuse rcu readers,\nbecause they might no longer see the head of the list.\n\nRestart the loop if f6i->fib6_nsiblings is zero.(CVE-2025-38588)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don't\nlimit the depth of the resulting tree for two reasons:\n\n - They don't look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n the paths is actually considered for the depth check since commit\n 28d82dc1c4ed ("epoll: limit paths").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion\nproblem").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges.(CVE-2025-38614)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix a race in packet_set_ring() and packet_notifier()\n\nWhen packet_set_ring() releases po->bind_lock, another thread can\nrun packet_notifier() and process an NETDEV_UP event.\n\nThis race and the fix are both similar to that of commit 15fe076edea7\n("net/packet: fix a race in packet_bind() and packet_notifier()").\n\nThere too the packet_notifier NETDEV_UP event managed to run while a\npo->bind_lock critical section had to be temporarily released. And\nthe fix was similarly to temporarily set po->num to zero to keep\nthe socket unhooked until the lock is retaken.\n\nThe po->bind_lock in packet_set_ring and packet_notifier precede the\nintroduction of git history.(CVE-2025-38617)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nrv: Use strings in da monitors tracepoints\n\nUsing DA monitors tracepoints with KASAN enabled triggers the following\nwarning:\n\n BUG: KASAN: global-out-of-bounds in do_trace_event_raw_event_event_da_monitor+0xd6/0x1a0\n Read of size 32 at addr ffffffffaada8980 by task ...\n Call Trace:\n <TASK>\n [...]\n do_trace_event_raw_event_event_da_monitor+0xd6/0x1a0\n ? __pfx_do_trace_event_raw_event_event_da_monitor+0x10/0x10\n ? trace_event_sncid+0x83/0x200\n trace_event_sncid+0x163/0x200\n [...]\n The buggy address belongs to the variable:\n automaton_snep+0x4e0/0x5e0\n\nThis is caused by the tracepoints reading 32 bytes __array instead of\n__string from the automata definition. Such strings are literals and\nreading 32 bytes ends up in out of bound memory accesses (e.g. the next\nautomaton's data in this case).\nThe error is harmless as, while printing the string, we stop at the null\nterminator, but it should still be fixed.\n\nUse the __string facilities while defining the tracepoints to avoid\nreading out of bound memory.(CVE-2025-38636)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix a null pointer dereference in ice_copy_and_init_pkg()\n\nAdd check for the return value of devm_kmemdup()\nto prevent potential null pointer dereference.(CVE-2025-38664)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()\n\nsnd_soc_remove_pcm_runtime() might be called with rtd == NULL which will\nleads to null pointer dereference.\nThis was reproduced with topology loading and marking a link as ignore\ndue to missing hardware component on the system.\nOn module removal the soc_tplg_remove_link() would call\nsnd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,\nno runtime was created.(CVE-2025-38706)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_unicast()\n\nnetlink_attachskb() checks for the socket's read memory allocation\nconstraints. Firstly, it has:\n\n rmem < READ_ONCE(sk->sk_rcvbuf)\n\nto check if the just increased rmem value fits into the socket's receive\nbuffer. If not, it proceeds and tries to wait for the memory under:\n\n rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)\n\nThe checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is\nequal to sk->sk_rcvbuf. Thus the function neither successfully accepts\nthese conditions, nor manages to reschedule the task - and is called in\nretry loop for indefinite time which is caught as:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212\n (t=26000 jiffies g=230833 q=259957)\n NMI backtrace for cpu 0\n CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014\n Call Trace:\n <IRQ>\n dump_stack lib/dump_stack.c:120\n nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105\n nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62\n rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335\n rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590\n update_process_times kernel/time/timer.c:1953\n tick_sched_handle kernel/time/tick-sched.c:227\n tick_sched_timer kernel/time/tick-sched.c:1399\n __hrtimer_run_queues kernel/time/hrtimer.c:1652\n hrtimer_interrupt kernel/time/hrtimer.c:1717\n __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113\n asm_call_irq_on_stack arch/x86/entry/entry_64.S:808\n </IRQ>\n\n netlink_attachskb net/netlink/af_netlink.c:1234\n netlink_unicast net/netlink/af_netlink.c:1349\n kauditd_send_queue kernel/audit.c:776\n kauditd_thread kernel/audit.c:897\n kthread kernel/kthread.c:328\n ret_from_fork arch/x86/entry/entry_64.S:304\n\nRestore the original behavior of the check which commit in Fixes\naccidentally missed when restructuring the code.\n\nFound by Linux Verification Center (linuxtesting.org).(CVE-2025-38727)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()\n\nThe function mod_hdcp_hdcp1_create_session() calls the function\nget_first_active_display(), but does not check its return value.\nThe return value is a null pointer if the display list is empty.\nThis will lead to a null pointer dereference.\n\nAdd a null pointer check for get_first_active_display() and return\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.\n\nThis is similar to the commit c3e9826a2202\n("drm/amd/display: Add null pointer check for get_first_active_display()").\n\n(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)(CVE-2025-39675)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix backlog accounting in qdisc_dequeue_internal\n\nThis issue applies for the following qdiscs: hhf, fq, fq_codel, and\nfq_pie, and occurs in their change handlers when adjusting to the new\nlimit. The problem is the following in the values passed to the\nsubsequent qdisc_tree_reduce_backlog call given a tbf parent:\n\n When the tbf parent runs out of tokens, skbs of these qdiscs will\n be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued,\n which accounts for both qlen and backlog. However, in the case of\n qdisc_dequeue_internal, ONLY qlen is accounted for when pulling\n from gso_skb. This means that these qdiscs are missing a\n qdisc_qstats_backlog_dec when dropping packets to satisfy the\n new limit in their change handlers.\n\n One can observe this issue with the following (with tc patched to\n support a limit of 0):\n\n export TARGET=fq\n tc qdisc del dev lo root\n tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms\n tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000\n echo ''; echo 'add child'; tc -s -d qdisc show dev lo\n ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null\n echo ''; echo 'after ping'; tc -s -d qdisc show dev lo\n tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0\n echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo\n tc qdisc replace dev lo handle 2: parent 1:1 sfq\n echo ''; echo 'post graft'; tc -s -d qdisc show dev lo\n\n The second to last show command shows 0 packets but a positive\n number (74) of backlog bytes. The problem becomes clearer in the\n last show command, where qdisc_purge_queue triggers\n qdisc_tree_reduce_backlog with the positive backlog and causes an\n underflow in the tbf parent's backlog (4096 Mb instead of 0).\n\nTo fix this issue, the codepath for all clients of qdisc_dequeue_internal\nhas been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel.\nqdisc_dequeue_internal handles the backlog adjustments for all cases that\ndo not directly use the dequeue handler.\n\nThe old fq_codel_change limit adjustment loop accumulated the arguments to\nthe subsequent qdisc_tree_reduce_backlog call through the cstats field.\nHowever, this is confusing and error prone as fq_codel_dequeue could also\npotentially mutate this field (which qdisc_dequeue_internal calls in the\nnon gso_skb case), so we have unified the code here with other qdiscs.(CVE-2025-39677)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel\nbuffer is allocated to hold `insn->n` samples (each of which is an\n`unsigned int`). For some instruction types, `insn->n` samples are\ncopied back to user-space, unless an error code is being returned. The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn->n` samples, so that there is\nan information leak. There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler. For `INSN_READ` it only fills in at most 1 sample, so if\n`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer.(CVE-2025-39684)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a race when updating an existing write\n\nAfter nfs_lock_and_join_requests() tests for whether the request is\nstill attached to the mapping, nothing prevents a call to\nnfs_inode_remove_request() from succeeding until we actually lock the\npage group.\nThe reason is that whoever called nfs_inode_remove_request() doesn't\nnecessarily have a lock on the page group head.\n\nSo in order to avoid races, let's take the page group lock earlier in\nnfs_lock_and_join_requests(), and hold it across the removal of the\nrequest in nfs_inode_remove_request().(CVE-2025-39697)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix memory corruption when FW resources change during ifdown\n\nbnxt_set_dflt_rings() assumes that it is always called before any TC has\nbeen created. So it doesn't take bp->num_tc into account and assumes\nthat it is always 0 or 1.\n\nIn the FW resource or capability change scenario, the FW will return\nflags in bnxt_hwrm_if_change() that will cause the driver to\nreinitialize and call bnxt_cancel_reservations(). This will lead to\nbnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp->num_tc\nmay be greater than 1. This will cause bp->tx_ring[] to be sized too\nsmall and cause memory corruption in bnxt_alloc_cp_rings().\n\nFix it by properly scaling the TX rings by bp->num_tc in the code\npaths mentioned above. Add 2 helper functions to determine\nbp->tx_nr_rings and bp->tx_nr_rings_per_tc.(CVE-2025-39810)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\n\nObserved on kernel 6.6 (present on master as well):\n\n BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0\n Call trace:\n kasan_check_range+0xe8/0x190\n __asan_loadN+0x1c/0x28\n memcmp+0x98/0xd0\n efivarfs_d_compare+0x68/0xd8\n __d_lookup_rcu_op_compare+0x178/0x218\n __d_lookup_rcu+0x1f8/0x228\n d_alloc_parallel+0x150/0x648\n lookup_open.isra.0+0x5f0/0x8d0\n open_last_lookups+0x264/0x828\n path_openat+0x130/0x3f8\n do_filp_open+0x114/0x248\n do_sys_openat2+0x340/0x3c0\n __arm64_sys_openat+0x120/0x1a0\n\nIf dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become\nnegative, leadings to oob. The issue can be triggered by parallel\nlookups using invalid filename:\n\n T1\t\t\tT2\n lookup_open\n ->lookup\n simple_lookup\n d_add\n // invalid dentry is added to hash list\n\n\t\t\tlookup_open\n\t\t\t d_alloc_parallel\n\t\t\t __d_lookup_rcu\n\t\t\t __d_lookup_rcu_op_compare\n\t\t\t hlist_bl_for_each_entry_rcu\n\t\t\t // invalid dentry can be retrieved\n\t\t\t ->d_compare\n\t\t\t efivarfs_d_compare\n\t\t\t // oob\n\nFix it by checking 'guid' before cmp.(CVE-2025-39817)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix race with concurrent opens in rename(2)\n\nBesides sending the rename request to the server, the rename process\nalso involves closing any deferred close, waiting for outstanding I/O\nto complete as well as marking all existing open handles as deleted to\nprevent them from deferring closes, which increases the race window\nfor potential concurrent opens on the target file.\n\nFix this by unhashing the dentry in advance to prevent any concurrent\nopens on the target.(CVE-2025-39825)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed kworker\n----------------------------------------------------------------------\n___mark_inode_dirty inode_switch_wbs_work_fn\n\n spin_lock(&inode->i_lock);\n inode_attach_wb\n locked_inode_to_wb_and_lock_list\n get inode->i_wb\n spin_unlock(&inode->i_lock);\n spin_lock(&wb->list_lock)\n spin_lock(&inode->i_lock)\n inode_io_list_move_locked\n spin_unlock(&wb->list_lock)\n spin_unlock(&inode->i_lock)\n spin_lock(&old_wb->list_lock)\n inode_do_switch_wbs\n spin_lock(&inode->i_lock)\n inode->i_wb = new_wb\n spin_unlock(&inode->i_lock)\n spin_unlock(&old_wb->list_lock)\n wb_put_many(old_wb, nr_switched)\n cgwb_release\n old wb released\n wb_wakeup_delayed() accesses wb,\n then trigger the use-after-free\n issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished.(CVE-2025-39866)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Fix UAF in polling when open file is released\n\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\n\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\n\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\n\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\n\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\n\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 > test/cgroup.pressure\n3. Re-enable monitoring: echo 1 > test/cgroup.pressure\n\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:\n - Releases PSI triggers via cgroup_file_release()\n - Frees of->priv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv\n\nepolling\t\t\tdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = true\techo 0 > cgroup.pressure\n...\t\t\t\tcgroup_file_show\n\t\t\t\tkernfs_show\n\t\t\t\t// inactive kn\n\t\t\t\tkernfs_drain_open_files\n\t\t\t\tcft->release(of);\n\t\t\t\tkfree(ctx);\n\t\t\t\t...\nkernfs_get_active = false\n\t\t\t\techo 1 > cgroup.pressure\n\t\t\t\tkernfs_show\n\t\t\t\tkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\n\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors.(CVE-2025-39881)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path\n\nIf request_irq() in i40e_vsi_request_irq_msix() fails in an iteration\nlater than the first, the error path wants to free the IRQs requested\nso far. However, it uses the wrong dev_id argument for free_irq(), so\nit does not free the IRQs correctly and instead triggers the warning:\n\n Trying to free already-free IRQ 173\n WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0\n Modules linked in: i40e(+) [...]\n CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:__free_irq+0x192/0x2c0\n [...]\n Call Trace:\n <TASK>\n free_irq+0x32/0x70\n i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]\n i40e_vsi_request_irq+0x79/0x80 [i40e]\n i40e_vsi_open+0x21f/0x2f0 [i40e]\n i40e_open+0x63/0x130 [i40e]\n __dev_open+0xfc/0x210\n __dev_change_flags+0x1fc/0x240\n netif_change_flags+0x27/0x70\n do_setlink.isra.0+0x341/0xc70\n rtnl_newlink+0x468/0x860\n rtnetlink_rcv_msg+0x375/0x450\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x288/0x3c0\n netlink_sendmsg+0x20d/0x430\n ____sys_sendmsg+0x3a2/0x3d0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x82/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n </TASK>\n ---[ end trace 0000000000000000 ]---\n\nUse the same dev_id for free_irq() as for request_irq().\n\nI tested this with inserting code to fail intentionally.(CVE-2025-39911)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Harden uplink netdev access against device unbind\n\nThe function mlx5_uplink_netdev_get() gets the uplink netdevice\npointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can\nbe removed and its pointer cleared when unbound from the mlx5_core.eth\ndriver. This results in a NULL pointer, causing a kernel panic.\n\n BUG: unable to handle page fault for address: 0000000000001300\n at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]\n Call Trace:\n <TASK>\n mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]\n esw_offloads_enable+0x593/0x910 [mlx5_core]\n mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]\n devlink_nl_eswitch_set_doit+0x60/0xd0\n genl_family_rcv_msg_doit+0xe0/0x130\n genl_rcv_msg+0x183/0x290\n netlink_rcv_skb+0x4b/0xf0\n genl_rcv+0x24/0x40\n netlink_unicast+0x255/0x380\n netlink_sendmsg+0x1f3/0x420\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x119/0x180\n do_syscall_64+0x53/0x1d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nEnsure the pointer is valid before use by checking it for NULL. If it\nis valid, immediately call netdev_hold() to take a reference, and\npreventing the netdevice from being freed while it is in use.(CVE-2025-39947)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tuner: xc5000: Fix use-after-free in xc5000_release\n\nThe original code uses cancel_delayed_work() in xc5000_release(), which\ndoes not guarantee that the delayed work item timer_sleep has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere xc5000_release() may free the xc5000_priv while timer_sleep is still\nactive and attempts to dereference the xc5000_priv.\n\nA typical race condition is illustrated below:\n\nCPU 0 (release thread) | CPU 1 (delayed work callback)\nxc5000_release() | xc5000_do_timer_sleep()\n cancel_delayed_work() |\n hybrid_tuner_release_state(priv) |\n kfree(priv) |\n | priv = container_of() // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the timer_sleep is properly canceled before the xc5000_priv memory\nis deallocated.\n\nA deadlock concern was considered: xc5000_release() is called in a process\ncontext and is not holding any locks that the timer_sleep work item might\nalso need. Therefore, the use of the _sync() variant is safe here.\n\nThis bug was initially identified through static analysis.\n\n[hverkuil: fix typo in Subject: tunner -> tuner](CVE-2025-39994)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove\n\nThe original code uses cancel_delayed_work() in flexcop_pci_remove(), which\ndoes not guarantee that the delayed work item irq_check_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere flexcop_pci_remove() may free the flexcop_device while irq_check_work\nis still active and attempts to dereference the device.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nflexcop_pci_remove() | flexcop_pci_irq_check_work()\n cancel_delayed_work() |\n flexcop_device_kfree(fc_pci->fc_dev) |\n | fc = fc_pci->fc_dev; // UAF\n\nThis is confirmed by a KASAN report:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff8880093aa8c8 by task bash/135\n...\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n </IRQ>\n...\n\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x1be/0x460\n flexcop_device_kmalloc+0x54/0xe0\n flexcop_pci_probe+0x1f/0x9d0\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 135:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n flexcop_device_kfree+0x32/0x50\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing delayed\nwork has finished before the device memory is deallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced\nartificial delays within the flexcop_pci_irq_check_work() function to\nincrease the likelihood of triggering the bug.(CVE-2025-39996)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID\n\nPer UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero\nunique ID.\n\n```\nEach Unit and Terminal within the video function is assigned a unique\nidentification number, the Unit ID (UID) or Terminal ID (TID), contained in\nthe bUnitID or bTerminalID field of the descriptor. The value 0x00 is\nreserved for undefined ID,\n```\n\nIf we add a new entity with id 0 or a duplicated ID, it will be marked\nas UVC_INVALID_ENTITY_ID.\n\nIn a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require\nentities to have a non-zero unique ID"), we ignored all the invalid units,\nthis broke a lot of non-compatible cameras. Hopefully we are more lucky\nthis time.\n\nThis also prevents some syzkaller reproducers from triggering warnings due\nto a chain of entities referring to themselves. In one particular case, an\nOutput Unit is connected to an Input Unit, both with the same ID of 1. But\nwhen looking up for the source ID of the Output Unit, that same entity is\nfound instead of the input entity, which leads to such warnings.\n\nIn another case, a backward chain was considered finished as the source ID\nwas 0. Later on, that entity was found, but its pads were not valid.\n\nHere is a sample stack trace for one of those cases.\n\n[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd\n[ 20.830206] usb 1-1: Using ep0 maxpacket: 8\n[ 20.833501] usb 1-1: config 0 descriptor??\n[ 21.038518] usb 1-1: string descriptor 0 read error: -71\n[ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)\n[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!\n[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!\n[ 21.042218] ------------[ cut here ]------------\n[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0\n[ 21.043195] Modules linked in:\n[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444\n[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[ 21.044639] Workqueue: usb_hub_wq hub_event\n[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0\n[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00\n[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246\n[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1\n[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290\n[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000\n[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003\n[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000\n[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000\n[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0\n[ 21.051136] PKRU: 55555554\n[ 21.051331] Call Trace:\n[ 21.051480] <TASK>\n[ 21.051611] ? __warn+0xc4/0x210\n[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.052252] ? report_bug+0x11b/0x1a0\n[ 21.052540] ? trace_hardirqs_on+0x31/0x40\n[ 21.052901] ? handle_bug+0x3d/0x70\n[ 21.053197] ? exc_invalid_op+0x1a/0x50\n[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20\n[ 21.053924] ? media_create_pad_link+0x91/0x2e0\n[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.054834] ? media_create_pad_link+0x91/0x2e0\n[ 21.055131] ? _raw_spin_unlock+0x1e/0x40\n[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210\n[ 21.055837] uvc_mc_register_entities+0x358/0x400\n[ 21.056144] uvc_register_chains+0x1\n---truncated---(CVE-2025-40016)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: fix uninit-value in squashfs_get_parent\n\nSyzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.\n\nThis is caused by open_by_handle_at() being called with a file handle\ncontaining an invalid parent inode number. In particular the inode number\nis that of a symbolic link, rather than a directory.\n\nSquashfs_get_parent() gets called with that symbolic link inode, and\naccesses the parent member field.\n\n\tunsigned int parent_ino = squashfs_i(inode)->parent;\n\nBecause non-directory inodes in Squashfs do not have a parent value, this\nis uninitialised, and this causes an uninitialised value access.\n\nThe fix is to initialise parent with the invalid inode 0, which will cause\nan EINVAL error to be returned.\n\nRegular inodes used to share the parent field with the block_list_start\nfield. This is removed in this commit to enable the parent field to\ncontain the invalid inode number 0.(CVE-2025-40049)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix crypto buffers in non-linear memory\n\nThe crypto API, through the scatterlist API, expects input buffers to be\nin linear memory. We handle this with the cifs_sg_set_buf() helper\nthat converts vmalloc'd memory to their corresponding pages.\n\nHowever, when we allocate our aead_request buffer (@creq in\nsmb2ops.c::crypt_message()), we do so with kvzalloc(), which possibly\nputs aead_request->__ctx in vmalloc area.\n\nAEAD algorithm then uses ->__ctx for its private/internal data and\noperations, and uses sg_set_buf() for such data on a few places.\n\nThis works fine as long as @creq falls into kmalloc zone (small\nrequests) or vmalloc'd memory is still within linear range.\n\nTasks' stacks are vmalloc'd by default (CONFIG_VMAP_STACK=y), so too\nmany tasks will increment the base stacks' addresses to a point where\nvirt_addr_valid(buf) will fail (BUG() in sg_set_buf()) when that\nhappens.\n\nIn practice: too many parallel reads and writes on an encrypted mount\nwill trigger this bug.\n\nTo fix this, always alloc @creq with kmalloc() instead.\nAlso drop the @sensitive_size variable/arguments since\nkfree_sensitive() doesn't need it.\n\nBacktrace:\n\n[ 945.272081] ------------[ cut here ]------------\n[ 945.272774] kernel BUG at include/linux/scatterlist.h:209!\n[ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary)\n[ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n[ 945.276877] Workqueue: writeback wb_workfn (flush-cifs-2)\n[ 945.277457] RIP: 0010:crypto_gcm_init_common+0x1f9/0x220\n[ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b\n[ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246\n[ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030\n[ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070\n[ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000\n[ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070\n[ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010\n[ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000\n[ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0\n[ 945.286683] Call Trace:\n[ 945.286952] <TASK>\n[ 945.287184] ? crypt_message+0x33f/0xad0 [cifs]\n[ 945.287719] crypto_gcm_encrypt+0x36/0xe0\n[ 945.288152] crypt_message+0x54a/0xad0 [cifs]\n[ 945.288724] smb3_init_transform_rq+0x277/0x300 [cifs]\n[ 945.289300] smb_send_rqst+0xa3/0x160 [cifs]\n[ 945.289944] cifs_call_async+0x178/0x340 [cifs]\n[ 945.290514] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs]\n[ 945.291177] smb2_async_writev+0x3e3/0x670 [cifs]\n[ 945.291759] ? find_held_lock+0x32/0x90\n[ 945.292212] ? netfs_advance_write+0xf2/0x310\n[ 945.292723] netfs_advance_write+0xf2/0x310\n[ 945.293210] netfs_write_folio+0x346/0xcc0\n[ 945.293689] ? __pfx__raw_spin_unlock_irq+0x10/0x10\n[ 945.294250] netfs_writepages+0x117/0x460\n[ 945.294724] do_writepages+0xbe/0x170\n[ 945.295152] ? find_held_lock+0x32/0x90\n[ 945.295600] ? kvm_sched_clock_read+0x11/0x20\n[ 945.296103] __writeback_single_inode+0x56/0x4b0\n[ 945.296643] writeback_sb_inodes+0x229/0x550\n[ 945.297140] __writeback_inodes_wb+0x4c/0xe0\n[ 945.297642] wb_writeback+0x2f1/0x3f0\n[ 945.298069] wb_workfn+0x300/0x490\n[ 945.298472] process_one_work+0x1fe/0x590\n[ 945.298949] worker_thread+0x1ce/0x3c0\n[ 945.299397] ? __pfx_worker_thread+0x10/0x10\n[ 945.299900] kthr\n---truncated---(CVE-2025-40052)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Disallow dirty tracking if incoherent page walk\n\nDirty page tracking relies on the IOMMU atomically updating the dirty bit\nin the paging-structure entry. For this operation to succeed, the paging-\nstructure memory must be coherent between the IOMMU and the CPU. In\nanother word, if the iommu page walk is incoherent, dirty page tracking\ndoesn't work.\n\nThe Intel VT-d specification, Section 3.10 "Snoop Behavior" states:\n\n"Remapping hardware encountering the need to atomically update A/EA/D bits\n in a paging-structure entry that is not snooped will result in a non-\n recoverable fault."\n\nTo prevent an IOMMU from being incorrectly configured for dirty page\ntracking when it is operating in an incoherent mode, mark SSADS as\nsupported only when both ecap_slads and ecap_smpwc are supported.(CVE-2025-40058)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix race in do_task() when draining\n\nWhen do_task() exhausts its iteration budget (!ret), it sets the state\nto TASK_STATE_IDLE to reschedule, without a secondary check on the\ncurrent task->state. This can overwrite the TASK_STATE_DRAINING state\nset by a concurrent call to rxe_cleanup_task() or rxe_disable_task().\n\nWhile state changes are protected by a spinlock, both rxe_cleanup_task()\nand rxe_disable_task() release the lock while waiting for the task to\nfinish draining in the while(!is_done(task)) loop. The race occurs if\ndo_task() hits its iteration limit and acquires the lock in this window.\nThe cleanup logic may then proceed while the task incorrectly\nreschedules itself, leading to a potential use-after-free.\n\nThis bug was introduced during the migration from tasklets to workqueues,\nwhere the special handling for the draining case was lost.\n\nFix this by restoring the original pre-migration behavior. If the state is\nTASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to\nforce a new loop iteration. This allows the task to finish its work, so\nthat a subsequent iteration can reach the switch statement and correctly\ntransition the state to TASK_STATE_DRAINED, stopping the task as intended.(CVE-2025-40061)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv4: start using dst_dev_rcu()\n\nChange icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.\n\nChange ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),\nipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().(CVE-2025-40074)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: use dst_dev_net_rcu()\n\nReplace three dst_dev() with a lockdep enabled helper.(CVE-2025-40075)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: fix mailbox API compatibility by negotiating supported features\n\nThere was backward compatibility in the terms of mailbox API. Various\ndrivers from various OSes supporting 10G adapters from Intel portfolio\ncould easily negotiate mailbox API.\n\nThis convention has been broken since introducing API 1.4.\nCommit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support\nfor IPSec which is specific only for the kernel ixgbe driver. None of the\nrest of the Intel 10G PF/VF drivers supports it. And actually lack of\nsupport was not included in the IPSec implementation - there were no such\ncode paths. No possibility to negotiate support for the feature was\nintroduced along with introduction of the feature itself.\n\nCommit 339f28964147 ("ixgbevf: Add support for new mailbox communication\nbetween PF and VF") increasing API version to 1.5 did the same - it\nintroduced code supported specifically by the PF ESX driver. It altered API\nversion for the VF driver in the same time not touching the version\ndefined for the PF ixgbe driver. It led to additional discrepancies,\nas the code provided within API 1.6 cannot be supported for Linux ixgbe\ndriver as it causes crashes.\n\nThe issue was noticed some time ago and mitigated by Jake within the commit\nd0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5").\nAs a result we have regression for IPsec support and after increasing API\nto version 1.6 ixgbevf driver stopped to support ESX MBX.\n\nTo fix this mess add new mailbox op asking PF driver about supported\nfeatures. Basing on a response determine whether to set support for IPSec\nand ESX-specific enhanced mailbox.\n\nNew mailbox op, for compatibility purposes, must be added within new API\nrevision, as API version of OOT PF & VF drivers is already increased to\n1.6 and doesn't incorporate features negotiate op.\n\nFeatures negotiation mechanism gives possibility to be extended with new\nfeatures when needed in the future.(CVE-2025-40104)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver just ignores and leaves as is, which may lead to\nunepxected results like OOB access.\n\nThis patch adds the sanity check and corrects the input mapping to the\ncertain default value if an invalid value is passed.(CVE-2025-40121)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_xmit()\n\nUse RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent\npossible UAF.(CVE-2025-40135)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().\n\nsmc_clc_prfx_set() is called during connect() and not under RCU\nnor RTNL.\n\nUsing sk_dst_get(sk)->dev could trigger UAF.\n\nLet's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()\nafter kernel_getsockname().\n\nNote that the returned value of smc_clc_prfx_set() is not used\nin the caller.\n\nWhile at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()\nnot to touch dst there.(CVE-2025-40139)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().\n\nget_netdev_for_sock() is called during setsockopt(),\nso not under RCU.\n\nUsing sk_dst_get(sk)->dev could trigger UAF.\n\nLet's use __sk_dst_get() and dst_dev_rcu().\n\nNote that the only ->ndo_sk_get_lower_dev() user is\nbond_sk_get_lower_dev(), which uses RCU.(CVE-2025-40149)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: debugfs: Fix legacy mode page table dump logic\n\nIn legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR\nmaybe uninitialized or zero in that case and may cause oops like:\n\n Oops: general protection fault, probably for non-canonical address\n 0xf00087d3f000f000: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n RIP: 0010:pgtable_walk_level+0x98/0x150\n RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206\n RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e\n RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000\n RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002\n R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000\n R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98\n FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n pgtable_walk_level+0x88/0x150\n domain_translation_struct_show.isra.0+0x2d9/0x300\n dev_domain_translation_struct_show+0x20/0x40\n seq_read_iter+0x12d/0x490\n...\n\nAvoid walking the page table if TT is not 00b or 01b.(CVE-2025-40155)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_output()\n\nUse RCU in ip6_output() in order to use dst_dev_rcu() to prevent\npossible UAF.\n\nWe can remove rcu_read_lock()/rcu_read_unlock() pairs\nfrom ip6_finish_output2().(CVE-2025-40158)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.0-127.0.0.113.oe2403"}]}],"ecosystem_specific":{"aarch64":["bpftool-6.6.0-127.0.0.113.oe2403.aarch64.rpm","bpftool-debuginfo-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-debuginfo-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-debugsource-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-devel-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-headers-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-source-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-tools-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-tools-debuginfo-6.6.0-127.0.0.113.oe2403.aarch64.rpm","kernel-tools-devel-6.6.0-127.0.0.113.oe2403.aarch64.rpm","perf-6.6.0-127.0.0.113.oe2403.aarch64.rpm","perf-debuginfo-6.6.0-127.0.0.113.oe2403.aarch64.rpm","python3-perf-6.6.0-127.0.0.113.oe2403.aarch64.rpm","python3-perf-debuginfo-6.6.0-127.0.0.113.oe2403.aarch64.rpm"],"src":["kernel-6.6.0-127.0.0.113.oe2403.src.rpm"],"x86_64":["bpftool-6.6.0-127.0.0.113.oe2403.x86_64.rpm","bpftool-debuginfo-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-debuginfo-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-debugsource-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-devel-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-headers-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-source-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-tools-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-tools-debuginfo-6.6.0-127.0.0.113.oe2403.x86_64.rpm","kernel-tools-devel-6.6.0-127.0.0.113.oe2403.x86_64.rpm","perf-6.6.0-127.0.0.113.oe2403.x86_64.rpm","perf-debuginfo-6.6.0-127.0.0.113.oe2403.x86_64.rpm","python3-perf-6.6.0-127.0.0.113.oe2403.x86_64.rpm","python3-perf-debuginfo-6.6.0-127.0.0.113.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2802"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38381"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38584"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38615"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38633"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38659"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38667"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40902"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40904"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41079"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42101"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42102"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42245"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42247"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42297"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49863"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49875"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49894"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49905"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49925"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49930"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49935"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49948"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49949"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49950"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49957"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49962"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50002"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50005"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53131"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57887"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57900"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-58095"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21945"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21968"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22022"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22025"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22026"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22039"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22042"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22043"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23133"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37822"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37861"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37899"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37973"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37994"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37997"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38005"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38058"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38071"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38109"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38231"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38282"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38350"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38361"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38443"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38457"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38470"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38477"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38527"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38566"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38588"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38614"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38617"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38636"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38664"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38706"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38727"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39675"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39677"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39684"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39697"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39810"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39817"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39825"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39866"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39881"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39911"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39947"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39994"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39996"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40016"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40049"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40052"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40058"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40061"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40074"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40075"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40104"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40121"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40135"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40139"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40149"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40155"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40158"}],"database_specific":{"severity":"High"}}