{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-1088-kvm", "linux-image-5.15.0-1088-kvm", "linux-kvm-headers-5.15.0-1088", "linux-modules-5.15.0-1088-kvm" ], "removed": [ "linux-headers-5.15.0-1087-kvm", "linux-image-5.15.0-1087-kvm", "linux-kvm-headers-5.15.0-1087", "linux-modules-5.15.0-1087-kvm" ], "diff": [ "cloud-init", "curl", "libcurl4", "libssl3", "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "needrestart", "openssl" ] } }, "diff": { "deb": [ { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.1.4-0ubuntu0~22.04.1", "version": "25.1.4-0ubuntu0~22.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.2-0ubuntu1~22.04.1", "version": "25.2-0ubuntu1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2120495 ], "changes": [ { "cves": [], "log": [ "", " * refresh patches", " - d/p/cli-retain-file-argument-as-main-cmd-arg.patch", " - d/p/deprecation-version-boundary.patch", " - d/p/grub-dpkg-support.patch", " - d/p/keep-dhclient-as-priority-client.patch", " - d/p/no-nocloud-network.patch", " - d/p/no-remove-networkd-online.patch", " - d/p/no-single-process.patch", " - d/p/retain-ec2-default-net-update-events.patch", " - d/p/retain-old-groups.patch", " - d/p/revert-551f560d-cloud-config-after-snap-seeding.patch", " * add d/p/strip-invalid-mtu.patch", " - Provides backwards compatibility for an other invalid", " MTU in a netplan config. (GH-6239)", " * Upstream snapshot based on 25.2. (LP: #2120495).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.2/ChangeLog", "" ], "package": "cloud-init", "version": "25.2-0ubuntu1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2120495 ], "author": "James Falcon ", "date": "Tue, 12 Aug 2025 14:48:04 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.20", "version": "7.81.0-1ubuntu1.20" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.21", "version": "7.81.0-1ubuntu1.21" }, "cves": [ { "cve": "CVE-2022-32205", "url": "https://ubuntu.com/security/CVE-2022-32205", "cve_description": "A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.", "cve_priority": "medium", "cve_public_date": "2022-07-07 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2118865 ], "changes": [ { "cves": [ { "cve": "CVE-2022-32205", "url": "https://ubuntu.com/security/CVE-2022-32205", "cve_description": "A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.", "cve_priority": "medium", "cve_public_date": "2022-07-07 13:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: incorrect Cookie header field size check", " (LP: #2118865)", " - debian/patches/CVE-2022-32205-2.patch: rectify the field size check", " in lib/http.c.", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2118865 ], "author": "Marc Deslauriers ", "date": "Tue, 23 Sep 2025 07:24:37 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl4", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.20", "version": "7.81.0-1ubuntu1.20" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.21", "version": "7.81.0-1ubuntu1.21" }, "cves": [ { "cve": "CVE-2022-32205", "url": "https://ubuntu.com/security/CVE-2022-32205", "cve_description": "A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.", "cve_priority": "medium", "cve_public_date": "2022-07-07 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2118865 ], "changes": [ { "cves": [ { "cve": "CVE-2022-32205", "url": "https://ubuntu.com/security/CVE-2022-32205", "cve_description": "A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a \"sister server\" to effectively cause a denial of service for a sibling site on the same second level domain using this method.", "cve_priority": "medium", "cve_public_date": "2022-07-07 13:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: incorrect Cookie header field size check", " (LP: #2118865)", " - debian/patches/CVE-2022-32205-2.patch: rectify the field size check", " in lib/http.c.", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2118865 ], "author": "Marc Deslauriers ", "date": "Tue, 23 Sep 2025 07:24:37 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.19", "version": "3.0.2-0ubuntu1.19" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.20", "version": "3.0.2-0ubuntu1.20" }, "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-bounds read & write in RFC 3211 KEK Unwrap", " - debian/patches/CVE-2025-9230.patch: fix incorrect check of unwrapped", " key size in crypto/cms/cms_pwri.c.", " - CVE-2025-9230", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.20", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 18 Sep 2025 08:06:16 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1087.83", "version": "5.15.0.1087.83" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1088.84", "version": "5.15.0.1088.84" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1088", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1088.84", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Zixing Liu ", "date": "Fri, 22 Aug 2025 16:19:18 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1087.83", "version": "5.15.0.1087.83" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1088.84", "version": "5.15.0.1088.84" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1088", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1088.84", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Zixing Liu ", "date": "Fri, 22 Aug 2025 16:19:18 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1087.83", "version": "5.15.0.1087.83" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1088.84", "version": "5.15.0.1088.84" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1088", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1088.84", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Zixing Liu ", "date": "Fri, 22 Aug 2025 16:19:18 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "needrestart", "from_version": { "source_package_name": "needrestart", "source_package_version": "3.5-5ubuntu2.4", "version": "3.5-5ubuntu2.4" }, "to_version": { "source_package_name": "needrestart", "source_package_version": "3.5-5ubuntu2.5", "version": "3.5-5ubuntu2.5" }, "cves": [], "launchpad_bugs_fixed": [ 2004203 ], "changes": [ { "cves": [], "log": [ "", " * Make stdio noninteractive if DEBIAN_FRONTEND='noninteractive'", " (LP: #2004203)", " - d/p/0001-UI-Make-stdio-noninteractive-if-DEBIAN_FRONTEND-noni.patch:", " Cherrypick of upstream pull request 214", " - Drop d/p/168.patch (upstream pull request 168) which was an", " incomplete fix supersided by PR 214.", "" ], "package": "needrestart", "version": "3.5-5ubuntu2.5", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2004203 ], "author": "Zachary Raines ", "date": "Wed, 10 Sep 2025 19:15:59 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.19", "version": "3.0.2-0ubuntu1.19" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.20", "version": "3.0.2-0ubuntu1.20" }, "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-bounds read & write in RFC 3211 KEK Unwrap", " - debian/patches/CVE-2025-9230.patch: fix incorrect check of unwrapped", " key size in crypto/cms/cms_pwri.c.", " - CVE-2025-9230", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.20", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 18 Sep 2025 08:06:16 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-1088-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1087.92", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1088.93", "version": "5.15.0-1088.93" }, "cves": [ { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38439", "url": "https://ubuntu.com/security/CVE-2025-38439", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38441", "url": "https://ubuntu.com/security/CVE-2025-38441", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38443", "url": "https://ubuntu.com/security/CVE-2025-38443", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38444", "url": "https://ubuntu.com/security/CVE-2025-38444", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm \"fio\", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc c1a049a2): __kmalloc+0x2bb/0x450 mempool_alloc+0x11b/0x320 raid10_make_request+0x19e/0x650 [raid10] md_handle_request+0x3b3/0x9e0 __submit_bio+0x394/0x560 __submit_bio_noacct+0x145/0x530 submit_bio_noacct_nocheck+0x682/0x830 __blkdev_direct_IO_async+0x4dc/0x6b0 blkdev_read_iter+0x1e5/0x3b0 __io_read+0x230/0x1110 io_read+0x13/0x30 io_issue_sqe+0x134/0x1180 io_submit_sqes+0x48c/0xe90 __do_sys_io_uring_enter+0x574/0x8b0 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x76/0x7e V4: changing backing tree to see if CKI tests will pass. The patch code has not changed between any versions.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38445", "url": "https://ubuntu.com/security/CVE-2025-38445", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { \t// newpool is on the stack \tmempool_t newpool, oldpool; \t// initialize newpool.wait.head to stack address \tmempool_init(&newpool, ...); \tconf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { \talloc_r1bio() \t{ \t\tmempool_alloc() \t\t{ \t\t\t// if pool->alloc fails \t\t\tremove_element() \t\t\t{ \t\t\t\t--pool->curr_nr; \t\t\t} \t\t} \t} } mempool_free() { \tif (pool->curr_nr < pool->min_nr) { \t\t// pool->wait.head is a stack address \t\t// wake_up() will try to access this invalid address \t\t// which leads to a kernel panic \t\treturn; \t\twake_up(&pool->wait); \t} } Fix: reinit conf->r1bio_pool.wait after assigning newpool.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38375", "url": "https://ubuntu.com/security/CVE-2025-38375", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.", "cve_priority": "medium", "cve_public_date": "2025-07-25 13:15:00 UTC" }, { "cve": "CVE-2025-38448", "url": "https://ubuntu.com/security/CVE-2025-38448", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1:\t\t\t CPU2: gserial_connect() // lock \t\t\t gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() \t\t\t gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-44939", "url": "https://ubuntu.com/security/CVE-2024-44939", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-26775", "url": "https://ubuntu.com/security/CVE-2024-26775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- [1] lock(&bdev->bd_size_lock); local_irq_disable(); [2] lock(&d->lock); [3] lock(&bdev->bd_size_lock); [4] lock(&d->lock); *** DEADLOCK *** Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). [2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. In this situation an attempt to acquire [4]lock(&d->lock) from aoecmd_cfg_rsp() will lead to deadlock. So the simplest solution is breaking lock dependency [2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() outside.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2022-48703", "url": "https://ubuntu.com/security/CVE-2022-48703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault.", "cve_priority": "medium", "cve_public_date": "2024-05-03 16:15:00 UTC" }, { "cve": "CVE-2025-38457", "url": "https://ubuntu.com/security/CVE-2025-38457", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38458", "url": "https://ubuntu.com/security/CVE-2025-38458", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmmsg+0x227/0x430 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38459", "url": "https://ubuntu.com/security/CVE-2025-38459", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38460", "url": "https://ubuntu.com/security/CVE-2025-38460", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip causes unregister hang\"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd().", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38461", "url": "https://ubuntu.com/security/CVE-2025-38461", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38462", "url": "https://ubuntu.com/security/CVE-2025-38462", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38464", "url": "https://ubuntu.com/security/CVE-2025-38464", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38465", "url": "https://ubuntu.com/security/CVE-2025-38465", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) \tatomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e (\"udp: Fix multiple wraparounds of sk->sk_rmem_alloc.\"). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38466", "url": "https://ubuntu.com/security/CVE-2025-38466", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38467", "url": "https://ubuntu.com/security/CVE-2025-38467", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-36350", "url": "https://ubuntu.com/security/CVE-2024-36350", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-36357", "url": "https://ubuntu.com/security/CVE-2024-36357", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-26726", "url": "https://ubuntu.com/security/CVE-2024-26726", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2025-38245", "url": "https://ubuntu.com/security/CVE-2025-38245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b ", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38249", "url": "https://ubuntu.com/security/CVE-2025-38249", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38251", "url": "https://ubuntu.com/security/CVE-2025-38251", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38257", "url": "https://ubuntu.com/security/CVE-2025-38257", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38230", "url": "https://ubuntu.com/security/CVE-2025-38230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift (L2LPERCTL - 2*agheight) >= 0. - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) ensures agperlev >= 1. - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; 2^(10 - 2*agheight) prevents division to 0. - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within stree (size 1365). - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 shift exponent -335544310 is negative CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-07-04 14:15:00 UTC" }, { "cve": "CVE-2025-38262", "url": "https://ubuntu.com/security/CVE-2025-38262", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38263", "url": "https://ubuntu.com/security/CVE-2025-38263", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37752", "url": "https://ubuntu.com/security/CVE-2025-37752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2024-27407", "url": "https://ubuntu.com/security/CVE-2024-27407", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr()", "cve_priority": "high", "cve_public_date": "2024-05-17 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2120084, 1786013, 2120207, 2118499, 2120098, 1786013, 2107816, 2115238, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118993, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2116904, 2118407 ], "changes": [ { "cves": [ { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38439", "url": "https://ubuntu.com/security/CVE-2025-38439", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38441", "url": "https://ubuntu.com/security/CVE-2025-38441", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38443", "url": "https://ubuntu.com/security/CVE-2025-38443", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38444", "url": "https://ubuntu.com/security/CVE-2025-38444", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm \"fio\", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc c1a049a2): __kmalloc+0x2bb/0x450 mempool_alloc+0x11b/0x320 raid10_make_request+0x19e/0x650 [raid10] md_handle_request+0x3b3/0x9e0 __submit_bio+0x394/0x560 __submit_bio_noacct+0x145/0x530 submit_bio_noacct_nocheck+0x682/0x830 __blkdev_direct_IO_async+0x4dc/0x6b0 blkdev_read_iter+0x1e5/0x3b0 __io_read+0x230/0x1110 io_read+0x13/0x30 io_issue_sqe+0x134/0x1180 io_submit_sqes+0x48c/0xe90 __do_sys_io_uring_enter+0x574/0x8b0 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x76/0x7e V4: changing backing tree to see if CKI tests will pass. The patch code has not changed between any versions.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38445", "url": "https://ubuntu.com/security/CVE-2025-38445", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { \t// newpool is on the stack \tmempool_t newpool, oldpool; \t// initialize newpool.wait.head to stack address \tmempool_init(&newpool, ...); \tconf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { \talloc_r1bio() \t{ \t\tmempool_alloc() \t\t{ \t\t\t// if pool->alloc fails \t\t\tremove_element() \t\t\t{ \t\t\t\t--pool->curr_nr; \t\t\t} \t\t} \t} } mempool_free() { \tif (pool->curr_nr < pool->min_nr) { \t\t// pool->wait.head is a stack address \t\t// wake_up() will try to access this invalid address \t\t// which leads to a kernel panic \t\treturn; \t\twake_up(&pool->wait); \t} } Fix: reinit conf->r1bio_pool.wait after assigning newpool.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38375", "url": "https://ubuntu.com/security/CVE-2025-38375", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.", "cve_priority": "medium", "cve_public_date": "2025-07-25 13:15:00 UTC" }, { "cve": "CVE-2025-38448", "url": "https://ubuntu.com/security/CVE-2025-38448", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1:\t\t\t CPU2: gserial_connect() // lock \t\t\t gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() \t\t\t gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-44939", "url": "https://ubuntu.com/security/CVE-2024-44939", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-26775", "url": "https://ubuntu.com/security/CVE-2024-26775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- [1] lock(&bdev->bd_size_lock); local_irq_disable(); [2] lock(&d->lock); [3] lock(&bdev->bd_size_lock); [4] lock(&d->lock); *** DEADLOCK *** Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). [2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. In this situation an attempt to acquire [4]lock(&d->lock) from aoecmd_cfg_rsp() will lead to deadlock. So the simplest solution is breaking lock dependency [2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() outside.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2022-48703", "url": "https://ubuntu.com/security/CVE-2022-48703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault.", "cve_priority": "medium", "cve_public_date": "2024-05-03 16:15:00 UTC" }, { "cve": "CVE-2025-38457", "url": "https://ubuntu.com/security/CVE-2025-38457", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38458", "url": "https://ubuntu.com/security/CVE-2025-38458", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmmsg+0x227/0x430 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38459", "url": "https://ubuntu.com/security/CVE-2025-38459", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38460", "url": "https://ubuntu.com/security/CVE-2025-38460", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip causes unregister hang\"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd().", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38461", "url": "https://ubuntu.com/security/CVE-2025-38461", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38462", "url": "https://ubuntu.com/security/CVE-2025-38462", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38464", "url": "https://ubuntu.com/security/CVE-2025-38464", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38465", "url": "https://ubuntu.com/security/CVE-2025-38465", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) \tatomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e (\"udp: Fix multiple wraparounds of sk->sk_rmem_alloc.\"). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38466", "url": "https://ubuntu.com/security/CVE-2025-38466", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38467", "url": "https://ubuntu.com/security/CVE-2025-38467", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-36350", "url": "https://ubuntu.com/security/CVE-2024-36350", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-36357", "url": "https://ubuntu.com/security/CVE-2024-36357", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-26726", "url": "https://ubuntu.com/security/CVE-2024-26726", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2025-38245", "url": "https://ubuntu.com/security/CVE-2025-38245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b ", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38249", "url": "https://ubuntu.com/security/CVE-2025-38249", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38251", "url": "https://ubuntu.com/security/CVE-2025-38251", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38257", "url": "https://ubuntu.com/security/CVE-2025-38257", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38230", "url": "https://ubuntu.com/security/CVE-2025-38230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift (L2LPERCTL - 2*agheight) >= 0. - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) ensures agperlev >= 1. - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; 2^(10 - 2*agheight) prevents division to 0. - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within stree (size 1365). - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 shift exponent -335544310 is negative CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-07-04 14:15:00 UTC" }, { "cve": "CVE-2025-38262", "url": "https://ubuntu.com/security/CVE-2025-38262", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38263", "url": "https://ubuntu.com/security/CVE-2025-38263", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37752", "url": "https://ubuntu.com/security/CVE-2025-37752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2024-27407", "url": "https://ubuntu.com/security/CVE-2024-27407", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr()", "cve_priority": "high", "cve_public_date": "2024-05-17 12:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1088.93 -proposed tracker (LP: #2120084)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.kvm/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", "", " [ Ubuntu: 5.15.0-156.166 ]", "", " * jammy/linux: 5.15.0-156.166 -proposed tracker (LP: #2120207)", " * minimal kernel lacks modules for blk disk in arm64 openstack environments", " where config_drive is required (LP: #2118499)", " - [Config] Enable SYM53C8XX_2 on arm64", "", " [ Ubuntu: 5.15.0-154.164 ]", "", " * jammy/linux: 5.15.0-154.164 -proposed tracker (LP: #2120098)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", " * warning at iommu_dma_unmap_page when running ibv_rc_pingpong", " (LP: #2107816)", " - RDMA/mlx5: Fix a WARN during dereg_mr for DM type", " * dmesg flooded with errors: amdgpu: DP AUX transfer fail:4 (LP: #2115238)", " - drm/amd/display: Avoid flooding unnecessary info messages", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995)", " - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode", " - fix proc_sys_compare() handling of in-lookup dentries", " - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also", " `transport_local`", " - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap", " - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX", " - atm: clip: Fix memory leak of struct clip_vcc.", " - ice: safer stats processing", " - rxrpc: Fix oops due to non-existence of prealloc backlog struct", " - bpf: fix precision backtracking instruction iteration", " - bpf, sockmap: Fix skb refcnt race after locking changes", " - xen: replace xen_remap() with memremap()", " - x86/mce/amd: Fix threshold limit reset", " - x86/mce: Don't remove sysfs if thresholding sysfs init fails", " - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel", " - gre: Fix IPv6 multicast route creation.", " - pinctrl: qcom: msm: mark certain pins as invalid for interrupts", " - drm/sched: Increment job count before swapping tail spsc queue", " - drm/gem: Fix race in drm_gem_handle_create_tail()", " - Revert \"ACPI: battery: negate current when discharging\"", " - btrfs: propagate last_unlink_trans earlier when doing a rmdir", " - btrfs: use btrfs_record_snapshot_destroy() during rmdir", " - RDMA/mlx5: Fix vport loopback for MPV device", " - pwm: mediatek: Ensure to disable clocks in error path", " - netlink: Fix rmem check in netlink_broadcast_deliver().", " - netlink: make sure we allow at least one dump skb", " - xhci: Allow RPM on the USB controller (1022:43f7) by default", " - usb: xhci: quirk for data loss in ISOC transfers", " - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS", " - Input: xpad - support Acer NGR 200 Controller", " - usb:cdnsp: remove TRB_FLUSH_ENDPOINT command", " - usb: cdnsp: Replace snprintf() with the safer scnprintf() variant", " - usb: cdnsp: Fix issue with CV Bad Descriptor test", " - usb: dwc3: Abort suspend on soft disconnect failure", " - dma-buf: add dma_resv_for_each_fence_unlocked v8", " - dma-buf: use new iterator in dma_resv_wait_timeout", " - dma-buf: fix timeout handling in dma_resv_wait_timeout v2", " - wifi: zd1211rw: Fix potential NULL pointer dereference in", " zd_mac_tx_to_dev()", " - smb: server: make use of rdma_destroy_qp()", " - ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()", " - net: appletalk: Fix device refcount leak in atrtr_create()", " - net: phy: microchip: limit 100M workaround to link-down events on", " LAN88xx", " - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to", " debug level", " - net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam()", " - bnxt_en: Fix DCB ETS validation", " - atm: idt77252: Add missing `dma_map_error()`", " - um: vector: Reduce stack usage in vector_eth_configure()", " - net: usb: qmi_wwan: add SIMCom 8230C composition", " - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2", " - vt: add missing notification when switching back to text mode", " - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY", " - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras", " - Input: atkbd - do not skip atkbd_deactivate() when skipping", " ATKBD_CMD_GETID", " - x86/mm: Disable hugetlb page table sharing on 32-bit", " - Linux 5.15.189", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38067", " - rseq: Fix segfault on registration when rseq_cs is non-zero", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38074", " - vhost-scsi: protect vq->log_used with vq->mutex", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38439", " - bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38441", " - netfilter: flowtable: account for Ethernet header in", " nf_flow_pppoe_proto()", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38443", " - nbd: fix uaf in nbd_genl_connect() error path", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38444", " - raid10: cleanup memleak at raid10_make_request", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38445", " - md/raid1: Fix stack memory use after return in raid1_reshape", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38375", " - virtio-net: ensure the received length does not exceed allocated size", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38448", " - usb: gadget: u_serial: Fix race condition in TTY wakeup", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2024-44939", " - jfs: fix null ptr deref in dtInsertEntry", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2024-26775", " - aoe: avoid potential deadlock at set_capacity", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2022-48703", " - thermal/int340x_thermal: handle data_vault when the value is", " ZERO_SIZE_PTR", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38457", " - net/sched: Abort __tc_modify_qdisc if parent class does not exist", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38458", " - atm: clip: Fix NULL pointer dereference in vcc_sendmsg()", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38459", " - atm: clip: Fix infinite recursive call of clip_push().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38460", " - atm: clip: Fix potential null-ptr-deref in to_atmarpd().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38461", " - vsock: Fix transport_* TOCTOU", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38462", " - vsock: Fix transport_{g2h,h2g} TOCTOU", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38464", " - tipc: Fix use-after-free in tipc_conn_close().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38465", " - netlink: Fix wraparounds of sk->sk_rmem_alloc.", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38466", " - perf: Revert to requiring CAP_SYS_ADMIN for uprobes", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38467", " - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling", " * Jammy update: v5.15.188 upstream stable release (LP: #2118993)", " - Linux 5.15.188", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977)", " - cifs: Fix cifs_query_path_info() for Windows NT servers", " - NFSv4: Always set NLINK even if the server doesn't support it", " - NFSv4.2: fix listxattr to return selinux security label", " - mailbox: Not protect module_put with spin_lock_irqsave", " - mfd: max14577: Fix wakeup source leaks on device unbind", " - leds: multicolor: Fix intensity setting while SW blinking", " - hwmon: (pmbus/max34440) Fix support for max34451", " - ksmbd: allow a filename to contain special characters on SMB3.1.1 posix", " extension", " - dmaengine: xilinx_dma: Set dma_device directions", " - md/md-bitmap: fix dm-raid max_write_behind setting", " - iio: pressure: zpa2326: Use aligned_s64 for the timestamp", " - um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h", " - coresight: Only check bottom two claim bits", " - usb: dwc2: also exit clock_gating when stopping udc while suspended", " - usb: potential integer overflow in usbg_make_tpg()", " - usb: common: usb-conn-gpio: use a unique name for usb connector device", " - usb: Add checks for snprintf() calls in usb_alloc_dev()", " - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s", " - usb: typec: displayport: Receive DP Status Update NAK request exit dp", " altmode", " - ALSA: hda: Ignore unsol events for cards being shut down", " - ALSA: hda: Add new pci id for AMD GPU display HD audio controller", " - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock", " - ceph: fix possible integer overflow in ceph_zero_objects()", " - ovl: Check for NULL d_inode() in ovl_dentry_upper()", " - fs/jfs: consolidate sanity checking in dbMount", " - media: davinci: vpif: Fix memory leak in probe error path", " - media: omap3isp: use sgtable-based scatterlist wrappers", " - clk: ti: am43xx: Add clkctrl data for am43xx ADC1", " - media: imx-jpeg: Drop the first error frames", " - f2fs: don't over-report free space or inodes in statvfs", " - Drivers: hv: Rename 'alloced' to 'allocated'", " - Drivers: hv: vmbus: Add utility function for querying ring size", " - uio_hv_generic: Query the ringbuffer size for device", " - uio_hv_generic: Align ring size to system page", " - fbcon: delete a few unneeded forward decl", " - tty/vt: consolemap: rename and document struct uni_pagedir", " - vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen()", " - vgacon: remove unneeded forward declarations", " - tty: vt: make init parameter of consw::con_init() a bool", " - tty: vt: sanitize arguments of consw::con_clear()", " - tty: vt: make consw::con_switch() return a bool", " - dummycon: Trigger redraw when switching consoles with deferred takeover", " - platform/x86: ideapad-laptop: use usleep_range() for EC polling", " - i2c: tiny-usb: disable zero-length read messages", " - i2c: robotfuzz-osif: disable zero-length read messages", " - attach_recursive_mnt(): do not lock the covering tree when sliding", " something under it", " - libbpf: Fix null pointer dereference in btf_dump__free on allocation", " failure", " - wifi: mac80211: fix beacon interval calculation overflow", " - af_unix: Don't set -ECONNRESET for consumed OOB skb.", " - vsock/uapi: fix linux/vm_sockets.h userspace compilation errors", " - um: ubd: Add missing error check in start_io_thread()", " - net: enetc: Correct endianness handling in _enetc_rd_reg64", " - net: selftests: fix TCP packet checksum", " - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()", " - dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive", " - Bluetooth: L2CAP: Fix L2CAP MTU negotiation", " - dm-raid: fix variable in journal device check", " - btrfs: update superblock's device bytes_used when dropping chunk", " - HID: wacom: fix memory leak on kobject creation failure", " - HID: wacom: fix memory leak on sysfs attribute creation failure", " - HID: wacom: fix kobject reference count leak", " - drm/tegra: Assign plane type before registration", " - drm/tegra: Fix a possible null pointer dereference", " - drm/udl: Unregister device before cleaning up on disconnect", " - drm/amdkfd: Fix race in GWS queue scheduling", " - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()", " - drm/bridge: cdns-dsi: Fix connecting to next bridge", " - drm/bridge: cdns-dsi: Check return value when getting default PHY config", " - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready", " - drm/amd/display: Add null pointer check for get_first_active_display()", " - PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time", " - media: uvcvideo: Rollback non processed entities on error", " - s390/entry: Fix last breaking event handling in case of stack corruption", " - s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS", " - Revert \"ipv6: save dontfrag in cork\"", " - arm64: Restrict pagetable teardown to avoid false warning", " - ARM: 9354/1: ptrace: Use bitfield helpers", " - rtc: cmos: use spin_lock_irqsave in cmos_interrupt", " - vsock/vmci: Clear the vmci transport packet properly when initializing", " it", " - mmc: sdhci: Add a helper function for dump register in dynamic debug", " mode", " - Revert \"mmc: sdhci: Disable SD card clock before changing parameters\"", " - usb: typec: altmodes/displayport: do not index invalid pin_assignments", " - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data", " - mtk-sd: Prevent memory corruption from DMA map failure", " - mtk-sd: reset host->mrq on prepare_data() error", " - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment", " - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert", " - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.", " - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN", " - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()", " - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()", " - scsi: ufs: core: Fix spelling of a sysfs attribute name", " - RDMA/mlx5: Fix CC counters query for MPV", " - btrfs: fix missing error handling when searching for inode refs during", " log replay", " - drm/exynos: fimd: Guard display clock control with runtime PM calls", " - spi: spi-fsl-dspi: Clear completion counter before initiating transfer", " - drm/i915/selftests: Change mock_request() to return error pointers", " - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs", " callbacks", " - drm/i915/gt: Fix timeline left held on VMA alloc error", " - igc: disable L1.2 PCI-E link substate to avoid performance issue", " - lib: test_objagg: Set error message in check_expect_hints_stats()", " - amd-xgbe: align CL37 AN sequence as per databook", " - enic: fix incorrect MTU comparison in enic_change_mtu()", " - rose: fix dangling neighbour pointers in rose_rt_device_down()", " - nui: Fix dma_mapping_error() check", " - drm/msm: Fix a fence leak in submit error path", " - ALSA: sb: Don't allow changing the DMA mode during operations", " - ALSA: sb: Force to disable DMAs once when DMA mode is changed", " - ata: pata_cs5536: fix build on 32-bit UML", " - powerpc: Fix struct termio related ioctl macros", " - scsi: target: Fix NULL pointer dereference in", " core_scsi3_decode_spec_i_port()", " - wifi: mac80211: drop invalid source address OCB frames", " - wifi: ath6kl: remove WARN on bad firmware input", " - ACPICA: Refuse to evaluate a method if arguments are missing", " - mtd: spinand: fix memory leak of ECC engine conf", " - rcu: Return early if callback is not specified", " - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier", " - regulator: gpio: Add input_supply support in gpio_regulator_config", " - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods", " - drm/v3d: Disable interrupts before resetting the GPU", " - NFSv4/flexfiles: Fix handling of NFS level errors in I/O", " - ethernet: atl1: Add missing DMA mapping error checks and count errors", " - dpaa2-eth: Update dpni_get_single_step_cfg command", " - dpaa2-eth: Update SINGLE_STEP register access", " - net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats", " - dpaa2-eth: fix xdp_rxq_info leak", " - platform/x86: think-lmi: Fix class device unregistration", " - platform/x86: dell-wmi-sysman: Fix class device unregistration", " - xhci: dbctty: disable ECHO flag by default", " - xhci: dbc: Flush queued requests before stopping dbc", " - usb: cdnsp: do not disable slot for disabled slot", " - i2c/designware: Fix an initialization issue", " - Logitech C-270 even more broken", " - platform/x86: think-lmi: Create ksets consecutively", " - usb: typec: displayport: Fix potential deadlock", " - [Config] enable TSA mitigation", " - KVM: x86: add support for CPUID leaf 0x80000021", " - Linux 5.15.187", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2024-36350 // CVE-2024-36357", " - x86/bugs: Rename MDS machinery to something more generic", " - x86/bugs: Add a Transient Scheduler Attacks mitigation", " - x86/CPU/AMD: Properly check the TSA microcode", " - x86: Fix X86_FEATURE_VERW_CLEAR definition", " - KVM: SVM: Advertise TSA CPUID bits to guests", " - x86/process: Move the buffer clearing before MONITOR", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2024-26726", " - btrfs: don't drop extent_map for free space inode on write error", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38245", " - atm: Release atm_dev_mutex after removing procfs in", " atm_dev_deregister().", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38249", " - ALSA: usb-audio: Fix out-of-bounds read in", " snd_usb_get_audioformat_uac3()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38251", " - atm: clip: prevent NULL deref in clip_push()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38257", " - s390/pkey: Prevent overflow in size calculation for memdup_user()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38230", " - jfs: validate AG parameters in dbMount() to prevent crashes", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38262", " - tty: serial: uartlite: register uart driver in init", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38263", " - bcache: fix NULL pointer in cache_set_flush()", " * Jammy update: v5.15.186 upstream stable release (LP: #2116904)", " - tracing: Fix compilation warning on arm32", " - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31", " - pinctrl: armada-37xx: set GPIO output value before setting direction", " - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()", " - rtc: Make rtc_time64_to_tm() support dates before 1970", " - rtc: Fix offset calculation for .start_secs < 0", " - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE", " - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device", " - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB", " - usb: usbtmc: Fix timeout value in get_stb", " - thunderbolt: Do not double dequeue a configuration request", " - gfs2: gfs2_create_inode error handling fix", " - perf/core: Fix broken throttling when max_samples_per_tick=1", " - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions", " - x86/cpu: Sanitize CPUID(0x80000000) output", " - crypto: marvell/cesa - Handle zero-length skcipher requests", " - crypto: marvell/cesa - Avoid empty transfer descriptor", " - crypto: lrw - Only add ecb if it is not already there", " - crypto: xts - Only add ecb if it is not already there", " - crypto: sun8i-ce - move fallback ahash_request to the end of the struct", " - EDAC/skx_common: Fix general protection fault", " - power: reset: at91-reset: Optimize at91_reset()", " - PM: wakeup: Delete space in the end of string shown by", " pm_show_wakelocks()", " - x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()", " - ACPI: OSI: Stop advertising support for \"3.0 _SCP Extensions\"", " - spi: sh-msiof: Fix maximum DMA transfer size", " - drm/amd/pp: Fix potential NULL pointer dereference in", " atomctrl_initialize_mc_reg_table", " - media: rkvdec: Fix frame size enumeration", " - fs/ntfs3: handle hdr_first_de() return value", " - m68k: mac: Fix macintosh_config for Mac II", " - firmware: psci: Fix refcount leak in psci_dt_init", " - selftests/seccomp: fix syscall_restart test for arm compat", " - drm: rcar-du: Fix memory leak in rcar_du_vsps_init()", " - drm/vkms: Adjust vkms_state->active_planes allocation type", " - drm/tegra: rgb: Fix the unbound reference count", " - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES", " - wifi: ath11k: fix node corruption in ar->arvifs list", " - IB/cm: use rwlock for MAD agent lock", " - bpf, sockmap: fix duplicated data transmission", " - f2fs: fix to do sanity check on sbi->total_valid_block_count", " - net: ncsi: Fix GCPS 64-bit member variables", " - libbpf: Fix buffer overflow in bpf_object__init_prog", " - wifi: rtw88: do not ignore hardware read error during DPK", " - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h", " - iommu: Protect against overflow in iommu_pgsize()", " - f2fs: clean up w/ fscrypt_is_bounce_page()", " - f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()", " - libbpf: Use proper errno value in linker", " - netfilter: bridge: Move specific fragmented packet to slow_path instead", " of dropping it", " - netfilter: nft_quota: match correctly when the quota just depleted", " - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction", " - bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ", " - clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs", " - clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()", " - ktls, sockmap: Fix missing uncharge operation", " - libbpf: Use proper errno value in nlattr", " - pinctrl: at91: Fix possible out-of-boundary access", " - bpf: Fix WARN() in get_bpf_raw_tp_regs", " - clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz", " - s390/bpf: Store backchain even for leaf progs", " - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds", " - wifi: ath9k_htc: Abort software beacon handling if disabled", " - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy", " - vfio/type1: Fix error unwind in migration dirty bitmap allocation", " - bpf, sockmap: Avoid using sk_socket after free when sending", " - netfilter: nft_tunnel: fix geneve_opt dump", " - net: usb: aqc111: fix error handling of usbnet read calls", " - bpf: Avoid __bpf_prog_ret0_warn when jit fails", " - net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy", " - calipso: Don't call calipso functions for AF_INET sk.", " - net: openvswitch: Fix the dead loop of MPLS parse", " - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames", " - f2fs: use d_inode(dentry) cleanup dentry->d_inode", " - f2fs: fix to correct check conditions in f2fs_cross_rename", " - ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select", " - ARM: dts: at91: at91sam9263: fix NAND chip selects", " - arm64: dts: imx8mm-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mn-beacon: Fix RTC capacitive load", " - Squashfs: check return result of sb_min_blocksize", " - ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery", " - nilfs2: add pointer check for nilfs_direct_propagate()", " - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()", " - bus: fsl-mc: fix double-free on mc_dev", " - ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon", " device", " - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399", " Puma with Haikou", " - soc: aspeed: lpc: Fix impossible judgment condition", " - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()", " - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()", " - perf build: Warn when libdebuginfod devel files are not available", " - perf ui browser hists: Set actions->thread before calling", " do_zoom_thread()", " - backlight: pm8941: Add NULL check in wled_configure()", " - perf scripts python: exported-sql-viewer.py: Fix pattern matching with", " Python 3", " - remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe", " - rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()", " - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in", " exynos_lpass_remove()", " - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE", " - perf tests switch-tracking: Fix timestamp comparison", " - perf record: Fix incorrect --user-regs comments", " - nfs: clear SB_RDONLY before getting superblock", " - nfs: ignore SB_RDONLY when remounting nfs", " - rtc: sh: assign correct interrupts with DT", " - PCI: cadence: Fix runtime atomic count underflow", " - dmaengine: ti: Add NULL check in udma_probe()", " - PCI/DPC: Initialize aer_err_info before using it", " - usb: renesas_usbhs: Reorder clock handling and power management in probe", " - serial: Fix potential null-ptr-deref in mlb_usio_probe()", " - iio: adc: ad7124: Fix 3dB filter frequency reading", " - MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a", " - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()", " - net: stmmac: platform: guarantee uniqueness of bus_id", " - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt", " - net: tipc: fix refcount warning in tipc_aead_encrypt", " - driver: net: ethernet: mtk_star_emac: fix suspend/resume issue", " - net/mlx4_en: Prevent potential integer overflow calculating Hz", " - spi: bcm63xx-spi: fix shared reset", " - spi: bcm63xx-hsspi: fix shared reset", " - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION", " - ice: create new Tx scheduler nodes for new queues only", " - net: dsa: tag_brcm: legacy: fix pskb_may_pull length", " - vmxnet3: correctly report gso type for UDP tunnels", " - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices", " - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO", " - netfilter: nf_set_pipapo_avx2: fix initial map fill", " - wireguard: device: enable threaded NAPI", " - seg6: Fix validation of nexthop addresses", " - fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)", " - do_change_type(): refuse to operate on unmounted/not ours mounts", " - pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()", " - Input: synaptics-rmi4 - convert to use sysfs_emit() APIs", " - Input: synaptics-rmi - fix crash with unsupported versions of F34", " - arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property", " - arm64: dts: ti: k3-am65-main: Fix sdhci node properties", " - arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0", " - serial: sh-sci: Check if TX data was written to device in .tx_empty()", " - serial: sh-sci: Move runtime PM enable to sci_probe_single()", " - serial: sh-sci: Clean sci_ports[0] after at earlycon exit", " - scsi: core: ufs: Fix a hang in the error handler", " - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()", " - ath10k: snoc: fix unbalanced IRQ enable in crash recovery", " - scsi: iscsi: Fix incorrect error path labels for flashnode operations", " - net_sched: sch_sfq: fix a potential crash on gso_skb handling", " - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap", " - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()", " - drm/meson: use unsigned long long / Hz for frequency types", " - drm/meson: fix debug log statement when setting the HDMI clocks", " - drm/meson: use vclk_freq instead of pixel_freq in debug print", " - drm/meson: fix more rounding issues with 59.94Hz modes", " - i40e: return false from i40e_reset_vf if reset is in progress", " - i40e: retry VFLR handling if there is ongoing VF reset", " - net: Fix TOCTOU issue in sk_is_readable()", " - macsec: MACsec SCI assignment for ES = 0", " - net: mdio: C22 is now optional, EOPNOTSUPP if not provided", " - net/mdiobus: Fix potential out-of-bounds read/write access", " - net/mlx5: Ensure fw pages are always allocated on same NUMA", " - net/mlx5: Fix return value when searching for existing flow group", " - net_sched: red: fix a race in __red_change()", " - net_sched: tbf: fix a race in tbf_change()", " - net_sched: ets: fix a race in ets_qdisc_change()", " - fs/filesystems: Fix potential unsigned integer underflow in fs_name()", " - nvmet-fcloop: access fcpreq only when holding reqlock", " - perf: Ensure bpf_perf_link path is properly serialized", " - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1", " - posix-cpu-timers: fix race between handle_posix_cpu_timers() and", " posix_cpu_timer_del()", " - x86/boot/compressed: prefer cc-option for CFLAGS additions", " - MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option", " - MIPS: Prefer cc-option for additions to cflags", " - kbuild: Update assembler calls to use proper flags and language target", " - drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang", " - mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation", " - kbuild: Add CLANG_FLAGS to as-instr", " - kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS", " - kbuild: Add KBUILD_CPPFLAGS to as-option invocation", " - drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for", " clang", " - usb: usbtmc: Fix read_stb function and get_stb ioctl", " - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify", " - usb: cdnsp: Fix issue with detecting command completion event", " - usb: cdnsp: Fix issue with detecting USB 3.2 speed", " - usb: Flush altsetting 0 endpoints before reinitializating them after", " reset.", " - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()", " - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall", " - x86/iopl: Cure TIF_IO_BITMAP inconsistencies", " - calipso: unlock rcu before returning -EAFNOSUPPORT", " - net: usb: aqc111: debug info before sanitation", " - drm/meson: Use 1000ULL when operating with mode->clock", " - kbuild: userprogs: fix bitsize and target detection on clang", " - kbuild: hdrcheck: fix cross build with clang", " - xfs: allow inode inactivation during a ro mount log recovery", " - configfs: Do not override creating attribute file failure in", " populate_attrs()", " - crypto: marvell/cesa - Do not chain submitted requests", " - gfs2: move msleep to sleepable context", " - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params()", " - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing", " - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power", " states", " - net/mlx5_core: Add error handling", " inmlx5_query_nic_vport_qkey_viol_cntr()", " - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()", " - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()", " - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request", " - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference", " - jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()", " - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723", " - media: ov8856: suppress probe deferral errors", " - media: ccs-pll: Start VT pre-PLL multiplier search from correct value", " - media: ccs-pll: Start OP pre-PLL multiplier search from correct value", " - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div", " - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case", " - media: cxusb: no longer judge rbuf when the write fails", " - media: gspca: Add error handling for stv06xx_read_sensor()", " - media: v4l2-dev: fix error handling in __video_register_device()", " - media: venus: Fix probe error handling", " - media: videobuf2: use sgtable-based scatterlist wrappers", " - media: vidtv: Terminating the subsequent process of initialization", " failure", " - media: vivid: Change the siize of the composing", " - media: uvcvideo: Return the number of processed controls", " - media: uvcvideo: Send control events for partial succeeds", " - media: uvcvideo: Fix deferred probing error", " - ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap()", " - ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4", " - bus: mhi: host: Fix conflict between power_up and SYSERR", " - can: tcan4x5x: fix power regulator retrieval during probe", " - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330", " - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device", " - bus: fsl-mc: fix GET/SET_TAILDROP command ids", " - ext4: inline: fix len overflow in ext4_prepare_inline_data", " - ext4: fix calculation of credits for extent tree modification", " - ext4: factor out ext4_get_maxbytes()", " - ext4: ensure i_size is smaller than maxbytes", " - Input: ims-pcu - check record size in ims_pcu_flash_firmware()", " - f2fs: prevent kernel warning due to negative i_nlink from corrupted", " image", " - f2fs: fix to do sanity check on sit_bitmap_size", " - NFC: nci: uart: Set tty->disc_data only in success path", " - EDAC/altera: Use correct write width with the INTTEST register", " - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var", " - vgacon: Add check for vc_origin address range in vgacon_scroll()", " - parisc: fix building with gcc-15", " - clk: meson-g12a: add missing fclk_div2 to spicc", " - ipc: fix to protect IPCS lookups using RCU", " - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction", " - mm: fix ratelimit_pages update error in dirty_ratio_handler()", " - mtd: rawnand: sunxi: Add randomizer configuration in", " sunxi_nfc_hw_ecc_write_chunk", " - mtd: nand: sunxi: Add randomizer configuration before randomizer enable", " - dm-mirror: fix a tiny race condition", " - ftrace: Fix UAF when lookup kallsym after ftrace disabled", " - net: ch9200: fix uninitialised access during mii_nway_restart", " - staging: iio: ad5933: Correct settling cycles encoding per datasheet", " - mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS", " - regulator: max14577: Add error check for max14577_read_reg()", " - remoteproc: core: Cleanup acquired resources when", " rproc_handle_resources() fails in rproc_attach()", " - remoteproc: core: Release rproc->clean_table after rproc_attach() fails", " - uio_hv_generic: Use correct size for interrupt and monitor pages", " - PCI: cadence-ep: Correct PBA offset in .set_msix() callback", " - PCI: Add ACS quirk for Loongson PCIe", " - PCI: Fix lock symmetry in pci_slot_unlock()", " - PCI: dw-rockchip: Fix PHY function call sequence in", " rockchip_pcie_phy_deinit()", " - iio: accel: fxls8962af: Fix temperature scan element sign", " - iio: imu: inv_icm42600: Fix temperature calculation", " - iio: adc: ad7606_spi: fix reg write value mask", " - ACPICA: fix acpi operand cache leak in dswstate.c", " - clocksource: Fix the CPUs' choice in the watchdog per CPU verification", " - ACPICA: Avoid sequence overread in call to strncmp()", " - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change", " - ACPI: bus: Bail out if acpi_kobj registration fails", " - ACPICA: fix acpi parse and parseext cache leaks", " - power: supply: bq27xxx: Retrieve again when busy", " - ACPICA: utilities: Fix overflow check in vsnprintf()", " - ASoC: tegra210_ahub: Add check to of_device_get_match_data()", " - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn()", " - ACPI: battery: negate current when discharging", " - drm/amdgpu/gfx6: fix CSIB handling", " - sunrpc: update nextcheck time when adding new cache entries", " - drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling", " disable_irq()", " - exfat: fix double free in delayed_free", " - drm/bridge: anx7625: change the gpiod_set_value API", " - media: i2c: imx334: Enable runtime PM before sub-device registration", " - drm/msm/hdmi: add runtime PM calls to DDC transfer function", " - media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition", " - drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit()", " - drm/msm/a6xx: Increase HFI response timeout", " - media: i2c: imx334: Fix runtime PM handling in remove function", " - drm/amdgpu/gfx10: fix CSIB handling", " - media: ccs-pll: Better validate VT PLL branch", " - media: uapi: v4l: Change V4L2_TYPE_IS_CAPTURE condition", " - drm/amdgpu/gfx7: fix CSIB handling", " - ext4: ext4: unify EXT4_EX_NOCACHE|NOFAIL flags in", " ext4_ext_remove_space()", " - jfs: fix array-index-out-of-bounds read in add_missing_indices", " - media: ti: cal: Fix wrong goto on error path", " - media: rkvdec: Initialize the m2m context before the controls", " - sunrpc: fix race in cache cleanup causing stale nextcheck time", " - ext4: prevent stale extent cache entries caused by concurrent get", " es_cache", " - drm/amdgpu/gfx8: fix CSIB handling", " - drm/amdgpu/gfx9: fix CSIB handling", " - jfs: Fix null-ptr-deref in jfs_ioc_trim", " - drm/msm/dpu: don't select single flush for active CTL blocks", " - drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB", " - media: tc358743: ignore video while HPD is low", " - media: platform: exynos4-is: Add hardware sync wait to", " fimc_is_hw_change_mode()", " - media: i2c: imx334: update mode_3840x2160_regs array", " - nios2: force update_mmu_cache on spurious tlb-permission--related", " pagefaults", " - pmdomain: ti: Fix STANDBY handling of PER power domain", " - thermal/drivers/qcom/tsens: Update conditions to strictly evaluate for", " IP v2+", " - cpufreq: Force sync policy boost with global boost on sysfs update", " - net: macb: Check return value of dma_set_mask_and_coherent()", " - tipc: use kfree_sensitive() for aead cleanup", " - i2c: designware: Invoke runtime suspend on quick slave re-registration", " - emulex/benet: correct command version selection in be_cmd_get_stats()", " - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R", " - sctp: Do not wake readers in __sctp_write_space()", " - cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs", " - i2c: npcm: Add clock toggle recovery", " - net: dlink: add synchronization for stats update", " - tcp: always seek for minimal rtt in tcp_rcv_rtt_update()", " - tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows", " - ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT", " - net: atlantic: generate software timestamp just before the doorbell", " - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name()", " - pinctrl: armada-37xx: propagate error from", " armada_37xx_gpio_get_direction()", " - pinctrl: armada-37xx: propagate error from", " armada_37xx_pmx_gpio_set_direction()", " - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get()", " - net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info", " - wifi: mac80211: do not offer a mesh path if forwarding is disabled", " - clk: rockchip: rk3036: mark ddrphy as critical", " - libbpf: Add identical pointer detection to btf_dedup_is_equiv()", " - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64", " commands", " - iommu/amd: Ensure GA log notifier callbacks finish running before module", " unload", " - net: bridge: mcast: re-implement br_multicast_{enable, disable}_port", " functions", " - vxlan: Do not treat dst cache initialization errors as fatal", " - software node: Correct a OOB check in software_node_get_reference_args()", " - pinctrl: mcp23s08: Reset all pins to input at probe", " - scsi: lpfc: Use memcpy() for BIOS version", " - sock: Correct error checking condition for (assign|release)_proto_idx()", " - i40e: fix MMIO write access to an invalid page in i40e_clear_hw", " - bpf, sockmap: Fix data lost during EAGAIN retries", " - octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer()", " - watchdog: da9052_wdt: respect TWDMIN", " - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value", " - ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY", " - tee: Prevent size calculation wraparound on 32-bit kernels", " - Revert \"bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices", " first\"", " - platform/x86: dell_rbu: Fix list usage", " - platform/x86: dell_rbu: Stop overwriting data buffer", " - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH", " recovery", " - Revert \"x86/bugs: Make spectre user default depend on", " MITIGATION_SPECTRE_V2\" on v6.6 and older", " - drivers/rapidio/rio_cm.c: prevent possible heap overwrite", " - jffs2: check that raw node were preallocated before writing summary", " - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places", " - scsi: storvsc: Increase the timeouts to storvsc_timeout", " - scsi: s390: zfcp: Ensure synchronous unit_add", " - udmabuf: use sgtable-based scatterlist wrappers", " - selftests/x86: Add a test to detect infinite SIGTRAP handler loop", " - selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len", " - atm: Revert atm_account_tx() if copy_from_iter_full() fails.", " - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()", " - block: default BLOCK_LEGACY_AUTOLOAD to y", " - Input: sparcspkr - avoid unannotated fall-through", " - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound", " card", " - ALSA: hda/intel: Add Thinkpad E15 to PM deny list", " - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged", " - iio: accel: fxls8962af: Fix temperature calculation", " - mm/hugetlb: unshare page tables during VMA split, not before", " - mm: hugetlb: independent PMD page table shared count", " - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race", " - erofs: remove unused trace event erofs_destroy_inode", " - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate", " - drm/nouveau/bl: increase buffer size to avoid truncate warning", " - hwmon: (occ) Add soft minimum power cap attribute", " - hwmon: (occ) Rework attribute registration for stack usage", " - hwmon: (occ) fix unaligned accesses", " - pldmfw: Select CRC32 when PLDMFW is selected", " - aoe: clean device rq_list in aoedev_downdev()", " - net: ice: Perform accurate aRFS flow match", " - ptp: fix breakage after ptp_vclock_in_use() rework", " - wifi: carl9170: do not ping device which has failed to load firmware", " - mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().", " - atm: atmtcp: Free invalid length skb in atmtcp_c_send().", " - tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen()", " behavior", " - tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer", " - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().", " - net: atm: add lec_mutex", " - net: atm: fix /proc/net/atm/lec handling", " - ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board", " - ARM: dts: am335x-bone-common: Increase MDIO reset deassert time", " - ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms", " - serial: sh-sci: Increment the runtime usage counter for the earlycon", " device", " - Revert \"cpufreq: tegra186: Share policy per cluster\"", " - arm64: move AARCH64_BREAK_FAULT into insn-def.h", " - arm64: insn: add encoders for atomic operations", " - arm64: insn: Add support for encoding DSB", " - arm64: proton-pack: Expose whether the platform is mitigated by firmware", " - arm64: proton-pack: Expose whether the branchy loop k value", " - arm64: spectre: increase parameters that can be used to turn off bhb", " mitigation individually", " - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs", " - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users", " - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation", " - net_sched: sch_sfq: reject invalid perturb period", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", " - ext4: make 'abort' mount option handling standard", " - ext4: avoid remount errors with 'abort' mount option", " - net: Fix checksum update for ILA adj-transport", " - bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE", " - s390/pci: Fix __pcilg_mio_inuser() inline assembly", " - perf: Fix sample vs do_exit()", " - arm64/ptrace: Fix stack-out-of-bounds read in", " regs_get_kernel_stack_nth()", " - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter()", " - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops", " - Linux 5.15.186", " * CVE-2024-57996 // CVE-2025-37752", " - net_sched: sch_sfq: annotate data-races around q->perturb_period", " - net_sched: sch_sfq: handle bigger packets", " - net_sched: sch_sfq: don't allow 1 packet limit", " - net_sched: sch_sfq: use a temporary work area for validating", " configuration", " - net_sched: sch_sfq: move the limit validation", " * CVE-2025-38350", " - net/sched: Always pass notifications when child class becomes empty", " * CVE-2024-27407", " - fs/ntfs3: Fixed overflow check in mi_enum_attr()", " * watchdog: BUG: soft lockup - CPU#6 stuck for 5718s! [wdavdaemon:1134] with", " 5.15.0-144-generic (LP: #2118407)", " - fs/proc: do_task_stat: use __for_each_thread()", "" ], "package": "linux-kvm", "version": "5.15.0-1088.93", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2120084, 1786013, 2120207, 2118499, 2120098, 1786013, 2107816, 2115238, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118993, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2116904, 2118407 ], "author": "Zixing Liu ", "date": "Fri, 22 Aug 2025 15:58:05 +0800" } ], "notes": "linux-headers-5.15.0-1088-kvm version '5.15.0-1088.93' (source package linux-kvm version '5.15.0-1088.93') was added. linux-headers-5.15.0-1088-kvm version '5.15.0-1088.93' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1087-kvm. As such we can use the source package version of the removed package, '5.15.0-1087.92', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-5.15.0-1088-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1087.92", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1088.93", "version": "5.15.0-1088.93" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-1088.93", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.15.0-1088.93", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Zixing Liu ", "date": "Fri, 22 Aug 2025 16:19:38 +0800" } ], "notes": "linux-image-5.15.0-1088-kvm version '5.15.0-1088.93' (source package linux-signed-kvm version '5.15.0-1088.93') was added. linux-image-5.15.0-1088-kvm version '5.15.0-1088.93' has the same source package name, linux-signed-kvm, as removed package linux-image-5.15.0-1087-kvm. As such we can use the source package version of the removed package, '5.15.0-1087.92', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-kvm-headers-5.15.0-1088", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1087.92", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1088.93", "version": "5.15.0-1088.93" }, "cves": [ { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38439", "url": "https://ubuntu.com/security/CVE-2025-38439", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38441", "url": "https://ubuntu.com/security/CVE-2025-38441", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38443", "url": "https://ubuntu.com/security/CVE-2025-38443", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38444", "url": "https://ubuntu.com/security/CVE-2025-38444", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm \"fio\", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc c1a049a2): __kmalloc+0x2bb/0x450 mempool_alloc+0x11b/0x320 raid10_make_request+0x19e/0x650 [raid10] md_handle_request+0x3b3/0x9e0 __submit_bio+0x394/0x560 __submit_bio_noacct+0x145/0x530 submit_bio_noacct_nocheck+0x682/0x830 __blkdev_direct_IO_async+0x4dc/0x6b0 blkdev_read_iter+0x1e5/0x3b0 __io_read+0x230/0x1110 io_read+0x13/0x30 io_issue_sqe+0x134/0x1180 io_submit_sqes+0x48c/0xe90 __do_sys_io_uring_enter+0x574/0x8b0 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x76/0x7e V4: changing backing tree to see if CKI tests will pass. The patch code has not changed between any versions.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38445", "url": "https://ubuntu.com/security/CVE-2025-38445", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { \t// newpool is on the stack \tmempool_t newpool, oldpool; \t// initialize newpool.wait.head to stack address \tmempool_init(&newpool, ...); \tconf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { \talloc_r1bio() \t{ \t\tmempool_alloc() \t\t{ \t\t\t// if pool->alloc fails \t\t\tremove_element() \t\t\t{ \t\t\t\t--pool->curr_nr; \t\t\t} \t\t} \t} } mempool_free() { \tif (pool->curr_nr < pool->min_nr) { \t\t// pool->wait.head is a stack address \t\t// wake_up() will try to access this invalid address \t\t// which leads to a kernel panic \t\treturn; \t\twake_up(&pool->wait); \t} } Fix: reinit conf->r1bio_pool.wait after assigning newpool.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38375", "url": "https://ubuntu.com/security/CVE-2025-38375", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.", "cve_priority": "medium", "cve_public_date": "2025-07-25 13:15:00 UTC" }, { "cve": "CVE-2025-38448", "url": "https://ubuntu.com/security/CVE-2025-38448", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1:\t\t\t CPU2: gserial_connect() // lock \t\t\t gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() \t\t\t gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-44939", "url": "https://ubuntu.com/security/CVE-2024-44939", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-26775", "url": "https://ubuntu.com/security/CVE-2024-26775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- [1] lock(&bdev->bd_size_lock); local_irq_disable(); [2] lock(&d->lock); [3] lock(&bdev->bd_size_lock); [4] lock(&d->lock); *** DEADLOCK *** Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). [2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. In this situation an attempt to acquire [4]lock(&d->lock) from aoecmd_cfg_rsp() will lead to deadlock. So the simplest solution is breaking lock dependency [2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() outside.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2022-48703", "url": "https://ubuntu.com/security/CVE-2022-48703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault.", "cve_priority": "medium", "cve_public_date": "2024-05-03 16:15:00 UTC" }, { "cve": "CVE-2025-38457", "url": "https://ubuntu.com/security/CVE-2025-38457", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38458", "url": "https://ubuntu.com/security/CVE-2025-38458", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmmsg+0x227/0x430 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38459", "url": "https://ubuntu.com/security/CVE-2025-38459", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38460", "url": "https://ubuntu.com/security/CVE-2025-38460", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip causes unregister hang\"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd().", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38461", "url": "https://ubuntu.com/security/CVE-2025-38461", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38462", "url": "https://ubuntu.com/security/CVE-2025-38462", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38464", "url": "https://ubuntu.com/security/CVE-2025-38464", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38465", "url": "https://ubuntu.com/security/CVE-2025-38465", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) \tatomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e (\"udp: Fix multiple wraparounds of sk->sk_rmem_alloc.\"). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38466", "url": "https://ubuntu.com/security/CVE-2025-38466", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38467", "url": "https://ubuntu.com/security/CVE-2025-38467", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-36350", "url": "https://ubuntu.com/security/CVE-2024-36350", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-36357", "url": "https://ubuntu.com/security/CVE-2024-36357", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-26726", "url": "https://ubuntu.com/security/CVE-2024-26726", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2025-38245", "url": "https://ubuntu.com/security/CVE-2025-38245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b ", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38249", "url": "https://ubuntu.com/security/CVE-2025-38249", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38251", "url": "https://ubuntu.com/security/CVE-2025-38251", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38257", "url": "https://ubuntu.com/security/CVE-2025-38257", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38230", "url": "https://ubuntu.com/security/CVE-2025-38230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift (L2LPERCTL - 2*agheight) >= 0. - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) ensures agperlev >= 1. - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; 2^(10 - 2*agheight) prevents division to 0. - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within stree (size 1365). - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 shift exponent -335544310 is negative CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-07-04 14:15:00 UTC" }, { "cve": "CVE-2025-38262", "url": "https://ubuntu.com/security/CVE-2025-38262", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38263", "url": "https://ubuntu.com/security/CVE-2025-38263", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37752", "url": "https://ubuntu.com/security/CVE-2025-37752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2024-27407", "url": "https://ubuntu.com/security/CVE-2024-27407", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr()", "cve_priority": "high", "cve_public_date": "2024-05-17 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2120084, 1786013, 2120207, 2118499, 2120098, 1786013, 2107816, 2115238, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118993, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2116904, 2118407 ], "changes": [ { "cves": [ { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38439", "url": "https://ubuntu.com/security/CVE-2025-38439", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38441", "url": "https://ubuntu.com/security/CVE-2025-38441", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38443", "url": "https://ubuntu.com/security/CVE-2025-38443", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38444", "url": "https://ubuntu.com/security/CVE-2025-38444", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm \"fio\", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc c1a049a2): __kmalloc+0x2bb/0x450 mempool_alloc+0x11b/0x320 raid10_make_request+0x19e/0x650 [raid10] md_handle_request+0x3b3/0x9e0 __submit_bio+0x394/0x560 __submit_bio_noacct+0x145/0x530 submit_bio_noacct_nocheck+0x682/0x830 __blkdev_direct_IO_async+0x4dc/0x6b0 blkdev_read_iter+0x1e5/0x3b0 __io_read+0x230/0x1110 io_read+0x13/0x30 io_issue_sqe+0x134/0x1180 io_submit_sqes+0x48c/0xe90 __do_sys_io_uring_enter+0x574/0x8b0 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x76/0x7e V4: changing backing tree to see if CKI tests will pass. The patch code has not changed between any versions.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38445", "url": "https://ubuntu.com/security/CVE-2025-38445", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { \t// newpool is on the stack \tmempool_t newpool, oldpool; \t// initialize newpool.wait.head to stack address \tmempool_init(&newpool, ...); \tconf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { \talloc_r1bio() \t{ \t\tmempool_alloc() \t\t{ \t\t\t// if pool->alloc fails \t\t\tremove_element() \t\t\t{ \t\t\t\t--pool->curr_nr; \t\t\t} \t\t} \t} } mempool_free() { \tif (pool->curr_nr < pool->min_nr) { \t\t// pool->wait.head is a stack address \t\t// wake_up() will try to access this invalid address \t\t// which leads to a kernel panic \t\treturn; \t\twake_up(&pool->wait); \t} } Fix: reinit conf->r1bio_pool.wait after assigning newpool.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38375", "url": "https://ubuntu.com/security/CVE-2025-38375", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.", "cve_priority": "medium", "cve_public_date": "2025-07-25 13:15:00 UTC" }, { "cve": "CVE-2025-38448", "url": "https://ubuntu.com/security/CVE-2025-38448", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1:\t\t\t CPU2: gserial_connect() // lock \t\t\t gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() \t\t\t gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-44939", "url": "https://ubuntu.com/security/CVE-2024-44939", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-26775", "url": "https://ubuntu.com/security/CVE-2024-26775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- [1] lock(&bdev->bd_size_lock); local_irq_disable(); [2] lock(&d->lock); [3] lock(&bdev->bd_size_lock); [4] lock(&d->lock); *** DEADLOCK *** Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). [2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. In this situation an attempt to acquire [4]lock(&d->lock) from aoecmd_cfg_rsp() will lead to deadlock. So the simplest solution is breaking lock dependency [2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() outside.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2022-48703", "url": "https://ubuntu.com/security/CVE-2022-48703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault.", "cve_priority": "medium", "cve_public_date": "2024-05-03 16:15:00 UTC" }, { "cve": "CVE-2025-38457", "url": "https://ubuntu.com/security/CVE-2025-38457", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38458", "url": "https://ubuntu.com/security/CVE-2025-38458", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmmsg+0x227/0x430 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38459", "url": "https://ubuntu.com/security/CVE-2025-38459", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38460", "url": "https://ubuntu.com/security/CVE-2025-38460", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip causes unregister hang\"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd().", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38461", "url": "https://ubuntu.com/security/CVE-2025-38461", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38462", "url": "https://ubuntu.com/security/CVE-2025-38462", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38464", "url": "https://ubuntu.com/security/CVE-2025-38464", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38465", "url": "https://ubuntu.com/security/CVE-2025-38465", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) \tatomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e (\"udp: Fix multiple wraparounds of sk->sk_rmem_alloc.\"). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38466", "url": "https://ubuntu.com/security/CVE-2025-38466", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38467", "url": "https://ubuntu.com/security/CVE-2025-38467", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-36350", "url": "https://ubuntu.com/security/CVE-2024-36350", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-36357", "url": "https://ubuntu.com/security/CVE-2024-36357", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-26726", "url": "https://ubuntu.com/security/CVE-2024-26726", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2025-38245", "url": "https://ubuntu.com/security/CVE-2025-38245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b ", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38249", "url": "https://ubuntu.com/security/CVE-2025-38249", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38251", "url": "https://ubuntu.com/security/CVE-2025-38251", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38257", "url": "https://ubuntu.com/security/CVE-2025-38257", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38230", "url": "https://ubuntu.com/security/CVE-2025-38230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift (L2LPERCTL - 2*agheight) >= 0. - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) ensures agperlev >= 1. - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; 2^(10 - 2*agheight) prevents division to 0. - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within stree (size 1365). - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 shift exponent -335544310 is negative CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-07-04 14:15:00 UTC" }, { "cve": "CVE-2025-38262", "url": "https://ubuntu.com/security/CVE-2025-38262", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38263", "url": "https://ubuntu.com/security/CVE-2025-38263", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37752", "url": "https://ubuntu.com/security/CVE-2025-37752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2024-27407", "url": "https://ubuntu.com/security/CVE-2024-27407", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr()", "cve_priority": "high", "cve_public_date": "2024-05-17 12:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1088.93 -proposed tracker (LP: #2120084)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.kvm/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", "", " [ Ubuntu: 5.15.0-156.166 ]", "", " * jammy/linux: 5.15.0-156.166 -proposed tracker (LP: #2120207)", " * minimal kernel lacks modules for blk disk in arm64 openstack environments", " where config_drive is required (LP: #2118499)", " - [Config] Enable SYM53C8XX_2 on arm64", "", " [ Ubuntu: 5.15.0-154.164 ]", "", " * jammy/linux: 5.15.0-154.164 -proposed tracker (LP: #2120098)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", " * warning at iommu_dma_unmap_page when running ibv_rc_pingpong", " (LP: #2107816)", " - RDMA/mlx5: Fix a WARN during dereg_mr for DM type", " * dmesg flooded with errors: amdgpu: DP AUX transfer fail:4 (LP: #2115238)", " - drm/amd/display: Avoid flooding unnecessary info messages", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995)", " - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode", " - fix proc_sys_compare() handling of in-lookup dentries", " - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also", " `transport_local`", " - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap", " - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX", " - atm: clip: Fix memory leak of struct clip_vcc.", " - ice: safer stats processing", " - rxrpc: Fix oops due to non-existence of prealloc backlog struct", " - bpf: fix precision backtracking instruction iteration", " - bpf, sockmap: Fix skb refcnt race after locking changes", " - xen: replace xen_remap() with memremap()", " - x86/mce/amd: Fix threshold limit reset", " - x86/mce: Don't remove sysfs if thresholding sysfs init fails", " - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel", " - gre: Fix IPv6 multicast route creation.", " - pinctrl: qcom: msm: mark certain pins as invalid for interrupts", " - drm/sched: Increment job count before swapping tail spsc queue", " - drm/gem: Fix race in drm_gem_handle_create_tail()", " - Revert \"ACPI: battery: negate current when discharging\"", " - btrfs: propagate last_unlink_trans earlier when doing a rmdir", " - btrfs: use btrfs_record_snapshot_destroy() during rmdir", " - RDMA/mlx5: Fix vport loopback for MPV device", " - pwm: mediatek: Ensure to disable clocks in error path", " - netlink: Fix rmem check in netlink_broadcast_deliver().", " - netlink: make sure we allow at least one dump skb", " - xhci: Allow RPM on the USB controller (1022:43f7) by default", " - usb: xhci: quirk for data loss in ISOC transfers", " - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS", " - Input: xpad - support Acer NGR 200 Controller", " - usb:cdnsp: remove TRB_FLUSH_ENDPOINT command", " - usb: cdnsp: Replace snprintf() with the safer scnprintf() variant", " - usb: cdnsp: Fix issue with CV Bad Descriptor test", " - usb: dwc3: Abort suspend on soft disconnect failure", " - dma-buf: add dma_resv_for_each_fence_unlocked v8", " - dma-buf: use new iterator in dma_resv_wait_timeout", " - dma-buf: fix timeout handling in dma_resv_wait_timeout v2", " - wifi: zd1211rw: Fix potential NULL pointer dereference in", " zd_mac_tx_to_dev()", " - smb: server: make use of rdma_destroy_qp()", " - ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()", " - net: appletalk: Fix device refcount leak in atrtr_create()", " - net: phy: microchip: limit 100M workaround to link-down events on", " LAN88xx", " - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to", " debug level", " - net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam()", " - bnxt_en: Fix DCB ETS validation", " - atm: idt77252: Add missing `dma_map_error()`", " - um: vector: Reduce stack usage in vector_eth_configure()", " - net: usb: qmi_wwan: add SIMCom 8230C composition", " - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2", " - vt: add missing notification when switching back to text mode", " - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY", " - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras", " - Input: atkbd - do not skip atkbd_deactivate() when skipping", " ATKBD_CMD_GETID", " - x86/mm: Disable hugetlb page table sharing on 32-bit", " - Linux 5.15.189", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38067", " - rseq: Fix segfault on registration when rseq_cs is non-zero", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38074", " - vhost-scsi: protect vq->log_used with vq->mutex", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38439", " - bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38441", " - netfilter: flowtable: account for Ethernet header in", " nf_flow_pppoe_proto()", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38443", " - nbd: fix uaf in nbd_genl_connect() error path", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38444", " - raid10: cleanup memleak at raid10_make_request", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38445", " - md/raid1: Fix stack memory use after return in raid1_reshape", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38375", " - virtio-net: ensure the received length does not exceed allocated size", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38448", " - usb: gadget: u_serial: Fix race condition in TTY wakeup", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2024-44939", " - jfs: fix null ptr deref in dtInsertEntry", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2024-26775", " - aoe: avoid potential deadlock at set_capacity", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2022-48703", " - thermal/int340x_thermal: handle data_vault when the value is", " ZERO_SIZE_PTR", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38457", " - net/sched: Abort __tc_modify_qdisc if parent class does not exist", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38458", " - atm: clip: Fix NULL pointer dereference in vcc_sendmsg()", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38459", " - atm: clip: Fix infinite recursive call of clip_push().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38460", " - atm: clip: Fix potential null-ptr-deref in to_atmarpd().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38461", " - vsock: Fix transport_* TOCTOU", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38462", " - vsock: Fix transport_{g2h,h2g} TOCTOU", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38464", " - tipc: Fix use-after-free in tipc_conn_close().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38465", " - netlink: Fix wraparounds of sk->sk_rmem_alloc.", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38466", " - perf: Revert to requiring CAP_SYS_ADMIN for uprobes", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38467", " - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling", " * Jammy update: v5.15.188 upstream stable release (LP: #2118993)", " - Linux 5.15.188", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977)", " - cifs: Fix cifs_query_path_info() for Windows NT servers", " - NFSv4: Always set NLINK even if the server doesn't support it", " - NFSv4.2: fix listxattr to return selinux security label", " - mailbox: Not protect module_put with spin_lock_irqsave", " - mfd: max14577: Fix wakeup source leaks on device unbind", " - leds: multicolor: Fix intensity setting while SW blinking", " - hwmon: (pmbus/max34440) Fix support for max34451", " - ksmbd: allow a filename to contain special characters on SMB3.1.1 posix", " extension", " - dmaengine: xilinx_dma: Set dma_device directions", " - md/md-bitmap: fix dm-raid max_write_behind setting", " - iio: pressure: zpa2326: Use aligned_s64 for the timestamp", " - um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h", " - coresight: Only check bottom two claim bits", " - usb: dwc2: also exit clock_gating when stopping udc while suspended", " - usb: potential integer overflow in usbg_make_tpg()", " - usb: common: usb-conn-gpio: use a unique name for usb connector device", " - usb: Add checks for snprintf() calls in usb_alloc_dev()", " - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s", " - usb: typec: displayport: Receive DP Status Update NAK request exit dp", " altmode", " - ALSA: hda: Ignore unsol events for cards being shut down", " - ALSA: hda: Add new pci id for AMD GPU display HD audio controller", " - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock", " - ceph: fix possible integer overflow in ceph_zero_objects()", " - ovl: Check for NULL d_inode() in ovl_dentry_upper()", " - fs/jfs: consolidate sanity checking in dbMount", " - media: davinci: vpif: Fix memory leak in probe error path", " - media: omap3isp: use sgtable-based scatterlist wrappers", " - clk: ti: am43xx: Add clkctrl data for am43xx ADC1", " - media: imx-jpeg: Drop the first error frames", " - f2fs: don't over-report free space or inodes in statvfs", " - Drivers: hv: Rename 'alloced' to 'allocated'", " - Drivers: hv: vmbus: Add utility function for querying ring size", " - uio_hv_generic: Query the ringbuffer size for device", " - uio_hv_generic: Align ring size to system page", " - fbcon: delete a few unneeded forward decl", " - tty/vt: consolemap: rename and document struct uni_pagedir", " - vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen()", " - vgacon: remove unneeded forward declarations", " - tty: vt: make init parameter of consw::con_init() a bool", " - tty: vt: sanitize arguments of consw::con_clear()", " - tty: vt: make consw::con_switch() return a bool", " - dummycon: Trigger redraw when switching consoles with deferred takeover", " - platform/x86: ideapad-laptop: use usleep_range() for EC polling", " - i2c: tiny-usb: disable zero-length read messages", " - i2c: robotfuzz-osif: disable zero-length read messages", " - attach_recursive_mnt(): do not lock the covering tree when sliding", " something under it", " - libbpf: Fix null pointer dereference in btf_dump__free on allocation", " failure", " - wifi: mac80211: fix beacon interval calculation overflow", " - af_unix: Don't set -ECONNRESET for consumed OOB skb.", " - vsock/uapi: fix linux/vm_sockets.h userspace compilation errors", " - um: ubd: Add missing error check in start_io_thread()", " - net: enetc: Correct endianness handling in _enetc_rd_reg64", " - net: selftests: fix TCP packet checksum", " - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()", " - dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive", " - Bluetooth: L2CAP: Fix L2CAP MTU negotiation", " - dm-raid: fix variable in journal device check", " - btrfs: update superblock's device bytes_used when dropping chunk", " - HID: wacom: fix memory leak on kobject creation failure", " - HID: wacom: fix memory leak on sysfs attribute creation failure", " - HID: wacom: fix kobject reference count leak", " - drm/tegra: Assign plane type before registration", " - drm/tegra: Fix a possible null pointer dereference", " - drm/udl: Unregister device before cleaning up on disconnect", " - drm/amdkfd: Fix race in GWS queue scheduling", " - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()", " - drm/bridge: cdns-dsi: Fix connecting to next bridge", " - drm/bridge: cdns-dsi: Check return value when getting default PHY config", " - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready", " - drm/amd/display: Add null pointer check for get_first_active_display()", " - PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time", " - media: uvcvideo: Rollback non processed entities on error", " - s390/entry: Fix last breaking event handling in case of stack corruption", " - s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS", " - Revert \"ipv6: save dontfrag in cork\"", " - arm64: Restrict pagetable teardown to avoid false warning", " - ARM: 9354/1: ptrace: Use bitfield helpers", " - rtc: cmos: use spin_lock_irqsave in cmos_interrupt", " - vsock/vmci: Clear the vmci transport packet properly when initializing", " it", " - mmc: sdhci: Add a helper function for dump register in dynamic debug", " mode", " - Revert \"mmc: sdhci: Disable SD card clock before changing parameters\"", " - usb: typec: altmodes/displayport: do not index invalid pin_assignments", " - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data", " - mtk-sd: Prevent memory corruption from DMA map failure", " - mtk-sd: reset host->mrq on prepare_data() error", " - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment", " - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert", " - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.", " - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN", " - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()", " - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()", " - scsi: ufs: core: Fix spelling of a sysfs attribute name", " - RDMA/mlx5: Fix CC counters query for MPV", " - btrfs: fix missing error handling when searching for inode refs during", " log replay", " - drm/exynos: fimd: Guard display clock control with runtime PM calls", " - spi: spi-fsl-dspi: Clear completion counter before initiating transfer", " - drm/i915/selftests: Change mock_request() to return error pointers", " - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs", " callbacks", " - drm/i915/gt: Fix timeline left held on VMA alloc error", " - igc: disable L1.2 PCI-E link substate to avoid performance issue", " - lib: test_objagg: Set error message in check_expect_hints_stats()", " - amd-xgbe: align CL37 AN sequence as per databook", " - enic: fix incorrect MTU comparison in enic_change_mtu()", " - rose: fix dangling neighbour pointers in rose_rt_device_down()", " - nui: Fix dma_mapping_error() check", " - drm/msm: Fix a fence leak in submit error path", " - ALSA: sb: Don't allow changing the DMA mode during operations", " - ALSA: sb: Force to disable DMAs once when DMA mode is changed", " - ata: pata_cs5536: fix build on 32-bit UML", " - powerpc: Fix struct termio related ioctl macros", " - scsi: target: Fix NULL pointer dereference in", " core_scsi3_decode_spec_i_port()", " - wifi: mac80211: drop invalid source address OCB frames", " - wifi: ath6kl: remove WARN on bad firmware input", " - ACPICA: Refuse to evaluate a method if arguments are missing", " - mtd: spinand: fix memory leak of ECC engine conf", " - rcu: Return early if callback is not specified", " - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier", " - regulator: gpio: Add input_supply support in gpio_regulator_config", " - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods", " - drm/v3d: Disable interrupts before resetting the GPU", " - NFSv4/flexfiles: Fix handling of NFS level errors in I/O", " - ethernet: atl1: Add missing DMA mapping error checks and count errors", " - dpaa2-eth: Update dpni_get_single_step_cfg command", " - dpaa2-eth: Update SINGLE_STEP register access", " - net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats", " - dpaa2-eth: fix xdp_rxq_info leak", " - platform/x86: think-lmi: Fix class device unregistration", " - platform/x86: dell-wmi-sysman: Fix class device unregistration", " - xhci: dbctty: disable ECHO flag by default", " - xhci: dbc: Flush queued requests before stopping dbc", " - usb: cdnsp: do not disable slot for disabled slot", " - i2c/designware: Fix an initialization issue", " - Logitech C-270 even more broken", " - platform/x86: think-lmi: Create ksets consecutively", " - usb: typec: displayport: Fix potential deadlock", " - [Config] enable TSA mitigation", " - KVM: x86: add support for CPUID leaf 0x80000021", " - Linux 5.15.187", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2024-36350 // CVE-2024-36357", " - x86/bugs: Rename MDS machinery to something more generic", " - x86/bugs: Add a Transient Scheduler Attacks mitigation", " - x86/CPU/AMD: Properly check the TSA microcode", " - x86: Fix X86_FEATURE_VERW_CLEAR definition", " - KVM: SVM: Advertise TSA CPUID bits to guests", " - x86/process: Move the buffer clearing before MONITOR", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2024-26726", " - btrfs: don't drop extent_map for free space inode on write error", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38245", " - atm: Release atm_dev_mutex after removing procfs in", " atm_dev_deregister().", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38249", " - ALSA: usb-audio: Fix out-of-bounds read in", " snd_usb_get_audioformat_uac3()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38251", " - atm: clip: prevent NULL deref in clip_push()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38257", " - s390/pkey: Prevent overflow in size calculation for memdup_user()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38230", " - jfs: validate AG parameters in dbMount() to prevent crashes", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38262", " - tty: serial: uartlite: register uart driver in init", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38263", " - bcache: fix NULL pointer in cache_set_flush()", " * Jammy update: v5.15.186 upstream stable release (LP: #2116904)", " - tracing: Fix compilation warning on arm32", " - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31", " - pinctrl: armada-37xx: set GPIO output value before setting direction", " - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()", " - rtc: Make rtc_time64_to_tm() support dates before 1970", " - rtc: Fix offset calculation for .start_secs < 0", " - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE", " - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device", " - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB", " - usb: usbtmc: Fix timeout value in get_stb", " - thunderbolt: Do not double dequeue a configuration request", " - gfs2: gfs2_create_inode error handling fix", " - perf/core: Fix broken throttling when max_samples_per_tick=1", " - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions", " - x86/cpu: Sanitize CPUID(0x80000000) output", " - crypto: marvell/cesa - Handle zero-length skcipher requests", " - crypto: marvell/cesa - Avoid empty transfer descriptor", " - crypto: lrw - Only add ecb if it is not already there", " - crypto: xts - Only add ecb if it is not already there", " - crypto: sun8i-ce - move fallback ahash_request to the end of the struct", " - EDAC/skx_common: Fix general protection fault", " - power: reset: at91-reset: Optimize at91_reset()", " - PM: wakeup: Delete space in the end of string shown by", " pm_show_wakelocks()", " - x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()", " - ACPI: OSI: Stop advertising support for \"3.0 _SCP Extensions\"", " - spi: sh-msiof: Fix maximum DMA transfer size", " - drm/amd/pp: Fix potential NULL pointer dereference in", " atomctrl_initialize_mc_reg_table", " - media: rkvdec: Fix frame size enumeration", " - fs/ntfs3: handle hdr_first_de() return value", " - m68k: mac: Fix macintosh_config for Mac II", " - firmware: psci: Fix refcount leak in psci_dt_init", " - selftests/seccomp: fix syscall_restart test for arm compat", " - drm: rcar-du: Fix memory leak in rcar_du_vsps_init()", " - drm/vkms: Adjust vkms_state->active_planes allocation type", " - drm/tegra: rgb: Fix the unbound reference count", " - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES", " - wifi: ath11k: fix node corruption in ar->arvifs list", " - IB/cm: use rwlock for MAD agent lock", " - bpf, sockmap: fix duplicated data transmission", " - f2fs: fix to do sanity check on sbi->total_valid_block_count", " - net: ncsi: Fix GCPS 64-bit member variables", " - libbpf: Fix buffer overflow in bpf_object__init_prog", " - wifi: rtw88: do not ignore hardware read error during DPK", " - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h", " - iommu: Protect against overflow in iommu_pgsize()", " - f2fs: clean up w/ fscrypt_is_bounce_page()", " - f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()", " - libbpf: Use proper errno value in linker", " - netfilter: bridge: Move specific fragmented packet to slow_path instead", " of dropping it", " - netfilter: nft_quota: match correctly when the quota just depleted", " - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction", " - bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ", " - clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs", " - clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()", " - ktls, sockmap: Fix missing uncharge operation", " - libbpf: Use proper errno value in nlattr", " - pinctrl: at91: Fix possible out-of-boundary access", " - bpf: Fix WARN() in get_bpf_raw_tp_regs", " - clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz", " - s390/bpf: Store backchain even for leaf progs", " - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds", " - wifi: ath9k_htc: Abort software beacon handling if disabled", " - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy", " - vfio/type1: Fix error unwind in migration dirty bitmap allocation", " - bpf, sockmap: Avoid using sk_socket after free when sending", " - netfilter: nft_tunnel: fix geneve_opt dump", " - net: usb: aqc111: fix error handling of usbnet read calls", " - bpf: Avoid __bpf_prog_ret0_warn when jit fails", " - net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy", " - calipso: Don't call calipso functions for AF_INET sk.", " - net: openvswitch: Fix the dead loop of MPLS parse", " - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames", " - f2fs: use d_inode(dentry) cleanup dentry->d_inode", " - f2fs: fix to correct check conditions in f2fs_cross_rename", " - ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select", " - ARM: dts: at91: at91sam9263: fix NAND chip selects", " - arm64: dts: imx8mm-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mn-beacon: Fix RTC capacitive load", " - Squashfs: check return result of sb_min_blocksize", " - ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery", " - nilfs2: add pointer check for nilfs_direct_propagate()", " - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()", " - bus: fsl-mc: fix double-free on mc_dev", " - ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon", " device", " - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399", " Puma with Haikou", " - soc: aspeed: lpc: Fix impossible judgment condition", " - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()", " - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()", " - perf build: Warn when libdebuginfod devel files are not available", " - perf ui browser hists: Set actions->thread before calling", " do_zoom_thread()", " - backlight: pm8941: Add NULL check in wled_configure()", " - perf scripts python: exported-sql-viewer.py: Fix pattern matching with", " Python 3", " - remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe", " - rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()", " - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in", " exynos_lpass_remove()", " - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE", " - perf tests switch-tracking: Fix timestamp comparison", " - perf record: Fix incorrect --user-regs comments", " - nfs: clear SB_RDONLY before getting superblock", " - nfs: ignore SB_RDONLY when remounting nfs", " - rtc: sh: assign correct interrupts with DT", " - PCI: cadence: Fix runtime atomic count underflow", " - dmaengine: ti: Add NULL check in udma_probe()", " - PCI/DPC: Initialize aer_err_info before using it", " - usb: renesas_usbhs: Reorder clock handling and power management in probe", " - serial: Fix potential null-ptr-deref in mlb_usio_probe()", " - iio: adc: ad7124: Fix 3dB filter frequency reading", " - MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a", " - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()", " - net: stmmac: platform: guarantee uniqueness of bus_id", " - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt", " - net: tipc: fix refcount warning in tipc_aead_encrypt", " - driver: net: ethernet: mtk_star_emac: fix suspend/resume issue", " - net/mlx4_en: Prevent potential integer overflow calculating Hz", " - spi: bcm63xx-spi: fix shared reset", " - spi: bcm63xx-hsspi: fix shared reset", " - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION", " - ice: create new Tx scheduler nodes for new queues only", " - net: dsa: tag_brcm: legacy: fix pskb_may_pull length", " - vmxnet3: correctly report gso type for UDP tunnels", " - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices", " - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO", " - netfilter: nf_set_pipapo_avx2: fix initial map fill", " - wireguard: device: enable threaded NAPI", " - seg6: Fix validation of nexthop addresses", " - fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)", " - do_change_type(): refuse to operate on unmounted/not ours mounts", " - pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()", " - Input: synaptics-rmi4 - convert to use sysfs_emit() APIs", " - Input: synaptics-rmi - fix crash with unsupported versions of F34", " - arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property", " - arm64: dts: ti: k3-am65-main: Fix sdhci node properties", " - arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0", " - serial: sh-sci: Check if TX data was written to device in .tx_empty()", " - serial: sh-sci: Move runtime PM enable to sci_probe_single()", " - serial: sh-sci: Clean sci_ports[0] after at earlycon exit", " - scsi: core: ufs: Fix a hang in the error handler", " - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()", " - ath10k: snoc: fix unbalanced IRQ enable in crash recovery", " - scsi: iscsi: Fix incorrect error path labels for flashnode operations", " - net_sched: sch_sfq: fix a potential crash on gso_skb handling", " - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap", " - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()", " - drm/meson: use unsigned long long / Hz for frequency types", " - drm/meson: fix debug log statement when setting the HDMI clocks", " - drm/meson: use vclk_freq instead of pixel_freq in debug print", " - drm/meson: fix more rounding issues with 59.94Hz modes", " - i40e: return false from i40e_reset_vf if reset is in progress", " - i40e: retry VFLR handling if there is ongoing VF reset", " - net: Fix TOCTOU issue in sk_is_readable()", " - macsec: MACsec SCI assignment for ES = 0", " - net: mdio: C22 is now optional, EOPNOTSUPP if not provided", " - net/mdiobus: Fix potential out-of-bounds read/write access", " - net/mlx5: Ensure fw pages are always allocated on same NUMA", " - net/mlx5: Fix return value when searching for existing flow group", " - net_sched: red: fix a race in __red_change()", " - net_sched: tbf: fix a race in tbf_change()", " - net_sched: ets: fix a race in ets_qdisc_change()", " - fs/filesystems: Fix potential unsigned integer underflow in fs_name()", " - nvmet-fcloop: access fcpreq only when holding reqlock", " - perf: Ensure bpf_perf_link path is properly serialized", " - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1", " - posix-cpu-timers: fix race between handle_posix_cpu_timers() and", " posix_cpu_timer_del()", " - x86/boot/compressed: prefer cc-option for CFLAGS additions", " - MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option", " - MIPS: Prefer cc-option for additions to cflags", " - kbuild: Update assembler calls to use proper flags and language target", " - drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang", " - mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation", " - kbuild: Add CLANG_FLAGS to as-instr", " - kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS", " - kbuild: Add KBUILD_CPPFLAGS to as-option invocation", " - drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for", " clang", " - usb: usbtmc: Fix read_stb function and get_stb ioctl", " - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify", " - usb: cdnsp: Fix issue with detecting command completion event", " - usb: cdnsp: Fix issue with detecting USB 3.2 speed", " - usb: Flush altsetting 0 endpoints before reinitializating them after", " reset.", " - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()", " - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall", " - x86/iopl: Cure TIF_IO_BITMAP inconsistencies", " - calipso: unlock rcu before returning -EAFNOSUPPORT", " - net: usb: aqc111: debug info before sanitation", " - drm/meson: Use 1000ULL when operating with mode->clock", " - kbuild: userprogs: fix bitsize and target detection on clang", " - kbuild: hdrcheck: fix cross build with clang", " - xfs: allow inode inactivation during a ro mount log recovery", " - configfs: Do not override creating attribute file failure in", " populate_attrs()", " - crypto: marvell/cesa - Do not chain submitted requests", " - gfs2: move msleep to sleepable context", " - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params()", " - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing", " - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power", " states", " - net/mlx5_core: Add error handling", " inmlx5_query_nic_vport_qkey_viol_cntr()", " - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()", " - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()", " - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request", " - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference", " - jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()", " - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723", " - media: ov8856: suppress probe deferral errors", " - media: ccs-pll: Start VT pre-PLL multiplier search from correct value", " - media: ccs-pll: Start OP pre-PLL multiplier search from correct value", " - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div", " - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case", " - media: cxusb: no longer judge rbuf when the write fails", " - media: gspca: Add error handling for stv06xx_read_sensor()", " - media: v4l2-dev: fix error handling in __video_register_device()", " - media: venus: Fix probe error handling", " - media: videobuf2: use sgtable-based scatterlist wrappers", " - media: vidtv: Terminating the subsequent process of initialization", " failure", " - media: vivid: Change the siize of the composing", " - media: uvcvideo: Return the number of processed controls", " - media: uvcvideo: Send control events for partial succeeds", " - media: uvcvideo: Fix deferred probing error", " - ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap()", " - ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4", " - bus: mhi: host: Fix conflict between power_up and SYSERR", " - can: tcan4x5x: fix power regulator retrieval during probe", " - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330", " - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device", " - bus: fsl-mc: fix GET/SET_TAILDROP command ids", " - ext4: inline: fix len overflow in ext4_prepare_inline_data", " - ext4: fix calculation of credits for extent tree modification", " - ext4: factor out ext4_get_maxbytes()", " - ext4: ensure i_size is smaller than maxbytes", " - Input: ims-pcu - check record size in ims_pcu_flash_firmware()", " - f2fs: prevent kernel warning due to negative i_nlink from corrupted", " image", " - f2fs: fix to do sanity check on sit_bitmap_size", " - NFC: nci: uart: Set tty->disc_data only in success path", " - EDAC/altera: Use correct write width with the INTTEST register", " - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var", " - vgacon: Add check for vc_origin address range in vgacon_scroll()", " - parisc: fix building with gcc-15", " - clk: meson-g12a: add missing fclk_div2 to spicc", " - ipc: fix to protect IPCS lookups using RCU", " - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction", " - mm: fix ratelimit_pages update error in dirty_ratio_handler()", " - mtd: rawnand: sunxi: Add randomizer configuration in", " sunxi_nfc_hw_ecc_write_chunk", " - mtd: nand: sunxi: Add randomizer configuration before randomizer enable", " - dm-mirror: fix a tiny race condition", " - ftrace: Fix UAF when lookup kallsym after ftrace disabled", " - net: ch9200: fix uninitialised access during mii_nway_restart", " - staging: iio: ad5933: Correct settling cycles encoding per datasheet", " - mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS", " - regulator: max14577: Add error check for max14577_read_reg()", " - remoteproc: core: Cleanup acquired resources when", " rproc_handle_resources() fails in rproc_attach()", " - remoteproc: core: Release rproc->clean_table after rproc_attach() fails", " - uio_hv_generic: Use correct size for interrupt and monitor pages", " - PCI: cadence-ep: Correct PBA offset in .set_msix() callback", " - PCI: Add ACS quirk for Loongson PCIe", " - PCI: Fix lock symmetry in pci_slot_unlock()", " - PCI: dw-rockchip: Fix PHY function call sequence in", " rockchip_pcie_phy_deinit()", " - iio: accel: fxls8962af: Fix temperature scan element sign", " - iio: imu: inv_icm42600: Fix temperature calculation", " - iio: adc: ad7606_spi: fix reg write value mask", " - ACPICA: fix acpi operand cache leak in dswstate.c", " - clocksource: Fix the CPUs' choice in the watchdog per CPU verification", " - ACPICA: Avoid sequence overread in call to strncmp()", " - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change", " - ACPI: bus: Bail out if acpi_kobj registration fails", " - ACPICA: fix acpi parse and parseext cache leaks", " - power: supply: bq27xxx: Retrieve again when busy", " - ACPICA: utilities: Fix overflow check in vsnprintf()", " - ASoC: tegra210_ahub: Add check to of_device_get_match_data()", " - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn()", " - ACPI: battery: negate current when discharging", " - drm/amdgpu/gfx6: fix CSIB handling", " - sunrpc: update nextcheck time when adding new cache entries", " - drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling", " disable_irq()", " - exfat: fix double free in delayed_free", " - drm/bridge: anx7625: change the gpiod_set_value API", " - media: i2c: imx334: Enable runtime PM before sub-device registration", " - drm/msm/hdmi: add runtime PM calls to DDC transfer function", " - media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition", " - drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit()", " - drm/msm/a6xx: Increase HFI response timeout", " - media: i2c: imx334: Fix runtime PM handling in remove function", " - drm/amdgpu/gfx10: fix CSIB handling", " - media: ccs-pll: Better validate VT PLL branch", " - media: uapi: v4l: Change V4L2_TYPE_IS_CAPTURE condition", " - drm/amdgpu/gfx7: fix CSIB handling", " - ext4: ext4: unify EXT4_EX_NOCACHE|NOFAIL flags in", " ext4_ext_remove_space()", " - jfs: fix array-index-out-of-bounds read in add_missing_indices", " - media: ti: cal: Fix wrong goto on error path", " - media: rkvdec: Initialize the m2m context before the controls", " - sunrpc: fix race in cache cleanup causing stale nextcheck time", " - ext4: prevent stale extent cache entries caused by concurrent get", " es_cache", " - drm/amdgpu/gfx8: fix CSIB handling", " - drm/amdgpu/gfx9: fix CSIB handling", " - jfs: Fix null-ptr-deref in jfs_ioc_trim", " - drm/msm/dpu: don't select single flush for active CTL blocks", " - drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB", " - media: tc358743: ignore video while HPD is low", " - media: platform: exynos4-is: Add hardware sync wait to", " fimc_is_hw_change_mode()", " - media: i2c: imx334: update mode_3840x2160_regs array", " - nios2: force update_mmu_cache on spurious tlb-permission--related", " pagefaults", " - pmdomain: ti: Fix STANDBY handling of PER power domain", " - thermal/drivers/qcom/tsens: Update conditions to strictly evaluate for", " IP v2+", " - cpufreq: Force sync policy boost with global boost on sysfs update", " - net: macb: Check return value of dma_set_mask_and_coherent()", " - tipc: use kfree_sensitive() for aead cleanup", " - i2c: designware: Invoke runtime suspend on quick slave re-registration", " - emulex/benet: correct command version selection in be_cmd_get_stats()", " - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R", " - sctp: Do not wake readers in __sctp_write_space()", " - cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs", " - i2c: npcm: Add clock toggle recovery", " - net: dlink: add synchronization for stats update", " - tcp: always seek for minimal rtt in tcp_rcv_rtt_update()", " - tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows", " - ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT", " - net: atlantic: generate software timestamp just before the doorbell", " - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name()", " - pinctrl: armada-37xx: propagate error from", " armada_37xx_gpio_get_direction()", " - pinctrl: armada-37xx: propagate error from", " armada_37xx_pmx_gpio_set_direction()", " - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get()", " - net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info", " - wifi: mac80211: do not offer a mesh path if forwarding is disabled", " - clk: rockchip: rk3036: mark ddrphy as critical", " - libbpf: Add identical pointer detection to btf_dedup_is_equiv()", " - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64", " commands", " - iommu/amd: Ensure GA log notifier callbacks finish running before module", " unload", " - net: bridge: mcast: re-implement br_multicast_{enable, disable}_port", " functions", " - vxlan: Do not treat dst cache initialization errors as fatal", " - software node: Correct a OOB check in software_node_get_reference_args()", " - pinctrl: mcp23s08: Reset all pins to input at probe", " - scsi: lpfc: Use memcpy() for BIOS version", " - sock: Correct error checking condition for (assign|release)_proto_idx()", " - i40e: fix MMIO write access to an invalid page in i40e_clear_hw", " - bpf, sockmap: Fix data lost during EAGAIN retries", " - octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer()", " - watchdog: da9052_wdt: respect TWDMIN", " - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value", " - ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY", " - tee: Prevent size calculation wraparound on 32-bit kernels", " - Revert \"bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices", " first\"", " - platform/x86: dell_rbu: Fix list usage", " - platform/x86: dell_rbu: Stop overwriting data buffer", " - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH", " recovery", " - Revert \"x86/bugs: Make spectre user default depend on", " MITIGATION_SPECTRE_V2\" on v6.6 and older", " - drivers/rapidio/rio_cm.c: prevent possible heap overwrite", " - jffs2: check that raw node were preallocated before writing summary", " - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places", " - scsi: storvsc: Increase the timeouts to storvsc_timeout", " - scsi: s390: zfcp: Ensure synchronous unit_add", " - udmabuf: use sgtable-based scatterlist wrappers", " - selftests/x86: Add a test to detect infinite SIGTRAP handler loop", " - selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len", " - atm: Revert atm_account_tx() if copy_from_iter_full() fails.", " - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()", " - block: default BLOCK_LEGACY_AUTOLOAD to y", " - Input: sparcspkr - avoid unannotated fall-through", " - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound", " card", " - ALSA: hda/intel: Add Thinkpad E15 to PM deny list", " - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged", " - iio: accel: fxls8962af: Fix temperature calculation", " - mm/hugetlb: unshare page tables during VMA split, not before", " - mm: hugetlb: independent PMD page table shared count", " - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race", " - erofs: remove unused trace event erofs_destroy_inode", " - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate", " - drm/nouveau/bl: increase buffer size to avoid truncate warning", " - hwmon: (occ) Add soft minimum power cap attribute", " - hwmon: (occ) Rework attribute registration for stack usage", " - hwmon: (occ) fix unaligned accesses", " - pldmfw: Select CRC32 when PLDMFW is selected", " - aoe: clean device rq_list in aoedev_downdev()", " - net: ice: Perform accurate aRFS flow match", " - ptp: fix breakage after ptp_vclock_in_use() rework", " - wifi: carl9170: do not ping device which has failed to load firmware", " - mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().", " - atm: atmtcp: Free invalid length skb in atmtcp_c_send().", " - tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen()", " behavior", " - tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer", " - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().", " - net: atm: add lec_mutex", " - net: atm: fix /proc/net/atm/lec handling", " - ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board", " - ARM: dts: am335x-bone-common: Increase MDIO reset deassert time", " - ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms", " - serial: sh-sci: Increment the runtime usage counter for the earlycon", " device", " - Revert \"cpufreq: tegra186: Share policy per cluster\"", " - arm64: move AARCH64_BREAK_FAULT into insn-def.h", " - arm64: insn: add encoders for atomic operations", " - arm64: insn: Add support for encoding DSB", " - arm64: proton-pack: Expose whether the platform is mitigated by firmware", " - arm64: proton-pack: Expose whether the branchy loop k value", " - arm64: spectre: increase parameters that can be used to turn off bhb", " mitigation individually", " - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs", " - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users", " - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation", " - net_sched: sch_sfq: reject invalid perturb period", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", " - ext4: make 'abort' mount option handling standard", " - ext4: avoid remount errors with 'abort' mount option", " - net: Fix checksum update for ILA adj-transport", " - bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE", " - s390/pci: Fix __pcilg_mio_inuser() inline assembly", " - perf: Fix sample vs do_exit()", " - arm64/ptrace: Fix stack-out-of-bounds read in", " regs_get_kernel_stack_nth()", " - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter()", " - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops", " - Linux 5.15.186", " * CVE-2024-57996 // CVE-2025-37752", " - net_sched: sch_sfq: annotate data-races around q->perturb_period", " - net_sched: sch_sfq: handle bigger packets", " - net_sched: sch_sfq: don't allow 1 packet limit", " - net_sched: sch_sfq: use a temporary work area for validating", " configuration", " - net_sched: sch_sfq: move the limit validation", " * CVE-2025-38350", " - net/sched: Always pass notifications when child class becomes empty", " * CVE-2024-27407", " - fs/ntfs3: Fixed overflow check in mi_enum_attr()", " * watchdog: BUG: soft lockup - CPU#6 stuck for 5718s! [wdavdaemon:1134] with", " 5.15.0-144-generic (LP: #2118407)", " - fs/proc: do_task_stat: use __for_each_thread()", "" ], "package": "linux-kvm", "version": "5.15.0-1088.93", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2120084, 1786013, 2120207, 2118499, 2120098, 1786013, 2107816, 2115238, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118993, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2116904, 2118407 ], "author": "Zixing Liu ", "date": "Fri, 22 Aug 2025 15:58:05 +0800" } ], "notes": "linux-kvm-headers-5.15.0-1088 version '5.15.0-1088.93' (source package linux-kvm version '5.15.0-1088.93') was added. linux-kvm-headers-5.15.0-1088 version '5.15.0-1088.93' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1087-kvm. As such we can use the source package version of the removed package, '5.15.0-1087.92', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-1088-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1087.92", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1088.93", "version": "5.15.0-1088.93" }, "cves": [ { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38439", "url": "https://ubuntu.com/security/CVE-2025-38439", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38441", "url": "https://ubuntu.com/security/CVE-2025-38441", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38443", "url": "https://ubuntu.com/security/CVE-2025-38443", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38444", "url": "https://ubuntu.com/security/CVE-2025-38444", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm \"fio\", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc c1a049a2): __kmalloc+0x2bb/0x450 mempool_alloc+0x11b/0x320 raid10_make_request+0x19e/0x650 [raid10] md_handle_request+0x3b3/0x9e0 __submit_bio+0x394/0x560 __submit_bio_noacct+0x145/0x530 submit_bio_noacct_nocheck+0x682/0x830 __blkdev_direct_IO_async+0x4dc/0x6b0 blkdev_read_iter+0x1e5/0x3b0 __io_read+0x230/0x1110 io_read+0x13/0x30 io_issue_sqe+0x134/0x1180 io_submit_sqes+0x48c/0xe90 __do_sys_io_uring_enter+0x574/0x8b0 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x76/0x7e V4: changing backing tree to see if CKI tests will pass. The patch code has not changed between any versions.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38445", "url": "https://ubuntu.com/security/CVE-2025-38445", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { \t// newpool is on the stack \tmempool_t newpool, oldpool; \t// initialize newpool.wait.head to stack address \tmempool_init(&newpool, ...); \tconf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { \talloc_r1bio() \t{ \t\tmempool_alloc() \t\t{ \t\t\t// if pool->alloc fails \t\t\tremove_element() \t\t\t{ \t\t\t\t--pool->curr_nr; \t\t\t} \t\t} \t} } mempool_free() { \tif (pool->curr_nr < pool->min_nr) { \t\t// pool->wait.head is a stack address \t\t// wake_up() will try to access this invalid address \t\t// which leads to a kernel panic \t\treturn; \t\twake_up(&pool->wait); \t} } Fix: reinit conf->r1bio_pool.wait after assigning newpool.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38375", "url": "https://ubuntu.com/security/CVE-2025-38375", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.", "cve_priority": "medium", "cve_public_date": "2025-07-25 13:15:00 UTC" }, { "cve": "CVE-2025-38448", "url": "https://ubuntu.com/security/CVE-2025-38448", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1:\t\t\t CPU2: gserial_connect() // lock \t\t\t gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() \t\t\t gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-44939", "url": "https://ubuntu.com/security/CVE-2024-44939", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-26775", "url": "https://ubuntu.com/security/CVE-2024-26775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- [1] lock(&bdev->bd_size_lock); local_irq_disable(); [2] lock(&d->lock); [3] lock(&bdev->bd_size_lock); [4] lock(&d->lock); *** DEADLOCK *** Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). [2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. In this situation an attempt to acquire [4]lock(&d->lock) from aoecmd_cfg_rsp() will lead to deadlock. So the simplest solution is breaking lock dependency [2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() outside.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2022-48703", "url": "https://ubuntu.com/security/CVE-2022-48703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault.", "cve_priority": "medium", "cve_public_date": "2024-05-03 16:15:00 UTC" }, { "cve": "CVE-2025-38457", "url": "https://ubuntu.com/security/CVE-2025-38457", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38458", "url": "https://ubuntu.com/security/CVE-2025-38458", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmmsg+0x227/0x430 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38459", "url": "https://ubuntu.com/security/CVE-2025-38459", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38460", "url": "https://ubuntu.com/security/CVE-2025-38460", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip causes unregister hang\"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd().", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38461", "url": "https://ubuntu.com/security/CVE-2025-38461", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38462", "url": "https://ubuntu.com/security/CVE-2025-38462", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38464", "url": "https://ubuntu.com/security/CVE-2025-38464", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38465", "url": "https://ubuntu.com/security/CVE-2025-38465", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) \tatomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e (\"udp: Fix multiple wraparounds of sk->sk_rmem_alloc.\"). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38466", "url": "https://ubuntu.com/security/CVE-2025-38466", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38467", "url": "https://ubuntu.com/security/CVE-2025-38467", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-36350", "url": "https://ubuntu.com/security/CVE-2024-36350", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-36357", "url": "https://ubuntu.com/security/CVE-2024-36357", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-26726", "url": "https://ubuntu.com/security/CVE-2024-26726", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2025-38245", "url": "https://ubuntu.com/security/CVE-2025-38245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b ", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38249", "url": "https://ubuntu.com/security/CVE-2025-38249", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38251", "url": "https://ubuntu.com/security/CVE-2025-38251", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38257", "url": "https://ubuntu.com/security/CVE-2025-38257", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38230", "url": "https://ubuntu.com/security/CVE-2025-38230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift (L2LPERCTL - 2*agheight) >= 0. - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) ensures agperlev >= 1. - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; 2^(10 - 2*agheight) prevents division to 0. - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within stree (size 1365). - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 shift exponent -335544310 is negative CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-07-04 14:15:00 UTC" }, { "cve": "CVE-2025-38262", "url": "https://ubuntu.com/security/CVE-2025-38262", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38263", "url": "https://ubuntu.com/security/CVE-2025-38263", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37752", "url": "https://ubuntu.com/security/CVE-2025-37752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2024-27407", "url": "https://ubuntu.com/security/CVE-2024-27407", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr()", "cve_priority": "high", "cve_public_date": "2024-05-17 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2120084, 1786013, 2120207, 2118499, 2120098, 1786013, 2107816, 2115238, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118993, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2116904, 2118407 ], "changes": [ { "cves": [ { "cve": "CVE-2025-38067", "url": "https://ubuntu.com/security/CVE-2025-38067", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38074", "url": "https://ubuntu.com/security/CVE-2025-38074", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); \t\t\t\t QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.", "cve_priority": "medium", "cve_public_date": "2025-06-18 10:15:00 UTC" }, { "cve": "CVE-2025-38439", "url": "https://ubuntu.com/security/CVE-2025-38439", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38441", "url": "https://ubuntu.com/security/CVE-2025-38441", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline]", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38443", "url": "https://ubuntu.com/security/CVE-2025-38443", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38444", "url": "https://ubuntu.com/security/CVE-2025-38444", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm \"fio\", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc c1a049a2): __kmalloc+0x2bb/0x450 mempool_alloc+0x11b/0x320 raid10_make_request+0x19e/0x650 [raid10] md_handle_request+0x3b3/0x9e0 __submit_bio+0x394/0x560 __submit_bio_noacct+0x145/0x530 submit_bio_noacct_nocheck+0x682/0x830 __blkdev_direct_IO_async+0x4dc/0x6b0 blkdev_read_iter+0x1e5/0x3b0 __io_read+0x230/0x1110 io_read+0x13/0x30 io_issue_sqe+0x134/0x1180 io_submit_sqes+0x48c/0xe90 __do_sys_io_uring_enter+0x574/0x8b0 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x76/0x7e V4: changing backing tree to see if CKI tests will pass. The patch code has not changed between any versions.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38445", "url": "https://ubuntu.com/security/CVE-2025-38445", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { \t// newpool is on the stack \tmempool_t newpool, oldpool; \t// initialize newpool.wait.head to stack address \tmempool_init(&newpool, ...); \tconf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { \talloc_r1bio() \t{ \t\tmempool_alloc() \t\t{ \t\t\t// if pool->alloc fails \t\t\tremove_element() \t\t\t{ \t\t\t\t--pool->curr_nr; \t\t\t} \t\t} \t} } mempool_free() { \tif (pool->curr_nr < pool->min_nr) { \t\t// pool->wait.head is a stack address \t\t// wake_up() will try to access this invalid address \t\t// which leads to a kernel panic \t\treturn; \t\twake_up(&pool->wait); \t} } Fix: reinit conf->r1bio_pool.wait after assigning newpool.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38375", "url": "https://ubuntu.com/security/CVE-2025-38375", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.", "cve_priority": "medium", "cve_public_date": "2025-07-25 13:15:00 UTC" }, { "cve": "CVE-2025-38448", "url": "https://ubuntu.com/security/CVE-2025-38448", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1:\t\t\t CPU2: gserial_connect() // lock \t\t\t gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() \t\t\t gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-44939", "url": "https://ubuntu.com/security/CVE-2024-44939", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-08-26 12:15:00 UTC" }, { "cve": "CVE-2024-26775", "url": "https://ubuntu.com/security/CVE-2024-26775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- [1] lock(&bdev->bd_size_lock); local_irq_disable(); [2] lock(&d->lock); [3] lock(&bdev->bd_size_lock); [4] lock(&d->lock); *** DEADLOCK *** Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). [2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. In this situation an attempt to acquire [4]lock(&d->lock) from aoecmd_cfg_rsp() will lead to deadlock. So the simplest solution is breaking lock dependency [2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() outside.", "cve_priority": "medium", "cve_public_date": "2024-04-03 17:15:00 UTC" }, { "cve": "CVE-2022-48703", "url": "https://ubuntu.com/security/CVE-2022-48703", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault.", "cve_priority": "medium", "cve_public_date": "2024-05-03 16:15:00 UTC" }, { "cve": "CVE-2025-38457", "url": "https://ubuntu.com/security/CVE-2025-38457", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38458", "url": "https://ubuntu.com/security/CVE-2025-38458", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmmsg+0x227/0x430 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38459", "url": "https://ubuntu.com/security/CVE-2025-38459", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 Modules linked in:", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38460", "url": "https://ubuntu.com/security/CVE-2025-38460", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip causes unregister hang\"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd().", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38461", "url": "https://ubuntu.com/security/CVE-2025-38461", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38462", "url": "https://ubuntu.com/security/CVE-2025-38462", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38464", "url": "https://ubuntu.com/security/CVE-2025-38464", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38465", "url": "https://ubuntu.com/security/CVE-2025-38465", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) \tatomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e (\"udp: Fix multiple wraparounds of sk->sk_rmem_alloc.\"). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38466", "url": "https://ubuntu.com/security/CVE-2025-38466", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2025-38467", "url": "https://ubuntu.com/security/CVE-2025-38467", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this.", "cve_priority": "medium", "cve_public_date": "2025-07-25 16:15:00 UTC" }, { "cve": "CVE-2024-36350", "url": "https://ubuntu.com/security/CVE-2024-36350", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-36357", "url": "https://ubuntu.com/security/CVE-2024-36357", "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.", "cve_priority": "medium", "cve_public_date": "2025-07-08 17:15:00 UTC" }, { "cve": "CVE-2024-26726", "url": "https://ubuntu.com/security/CVE-2024-26726", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call Trace: extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfs_get_extent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENT_MAP_HOLE for the requested range. This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map. Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range. I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test.", "cve_priority": "medium", "cve_public_date": "2024-04-03 15:15:00 UTC" }, { "cve": "CVE-2025-38245", "url": "https://ubuntu.com/security/CVE-2025-38245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b ", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38249", "url": "https://ubuntu.com/security/CVE-2025-38249", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38251", "url": "https://ubuntu.com/security/CVE-2025-38251", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38257", "url": "https://ubuntu.com/security/CVE-2025-38257", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org).", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38230", "url": "https://ubuntu.com/security/CVE-2025-38230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift (L2LPERCTL - 2*agheight) >= 0. - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) ensures agperlev >= 1. - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; 2^(10 - 2*agheight) prevents division to 0. - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within stree (size 1365). - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 shift exponent -335544310 is negative CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-07-04 14:15:00 UTC" }, { "cve": "CVE-2025-38262", "url": "https://ubuntu.com/security/CVE-2025-38262", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called.", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2025-38263", "url": "https://ubuntu.com/security/CVE-2025-38263", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-07-09 11:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37752", "url": "https://ubuntu.com/security/CVE-2025-37752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-38350", "url": "https://ubuntu.com/security/CVE-2025-38350", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.", "cve_priority": "medium", "cve_public_date": "2025-07-19 07:15:00 UTC" }, { "cve": "CVE-2024-27407", "url": "https://ubuntu.com/security/CVE-2024-27407", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr()", "cve_priority": "high", "cve_public_date": "2024-05-17 12:15:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1088.93 -proposed tracker (LP: #2120084)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.kvm/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", "", " [ Ubuntu: 5.15.0-156.166 ]", "", " * jammy/linux: 5.15.0-156.166 -proposed tracker (LP: #2120207)", " * minimal kernel lacks modules for blk disk in arm64 openstack environments", " where config_drive is required (LP: #2118499)", " - [Config] Enable SYM53C8XX_2 on arm64", "", " [ Ubuntu: 5.15.0-154.164 ]", "", " * jammy/linux: 5.15.0-154.164 -proposed tracker (LP: #2120098)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.08.11)", " * warning at iommu_dma_unmap_page when running ibv_rc_pingpong", " (LP: #2107816)", " - RDMA/mlx5: Fix a WARN during dereg_mr for DM type", " * dmesg flooded with errors: amdgpu: DP AUX transfer fail:4 (LP: #2115238)", " - drm/amd/display: Avoid flooding unnecessary info messages", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995)", " - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode", " - fix proc_sys_compare() handling of in-lookup dentries", " - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also", " `transport_local`", " - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap", " - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX", " - atm: clip: Fix memory leak of struct clip_vcc.", " - ice: safer stats processing", " - rxrpc: Fix oops due to non-existence of prealloc backlog struct", " - bpf: fix precision backtracking instruction iteration", " - bpf, sockmap: Fix skb refcnt race after locking changes", " - xen: replace xen_remap() with memremap()", " - x86/mce/amd: Fix threshold limit reset", " - x86/mce: Don't remove sysfs if thresholding sysfs init fails", " - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel", " - gre: Fix IPv6 multicast route creation.", " - pinctrl: qcom: msm: mark certain pins as invalid for interrupts", " - drm/sched: Increment job count before swapping tail spsc queue", " - drm/gem: Fix race in drm_gem_handle_create_tail()", " - Revert \"ACPI: battery: negate current when discharging\"", " - btrfs: propagate last_unlink_trans earlier when doing a rmdir", " - btrfs: use btrfs_record_snapshot_destroy() during rmdir", " - RDMA/mlx5: Fix vport loopback for MPV device", " - pwm: mediatek: Ensure to disable clocks in error path", " - netlink: Fix rmem check in netlink_broadcast_deliver().", " - netlink: make sure we allow at least one dump skb", " - xhci: Allow RPM on the USB controller (1022:43f7) by default", " - usb: xhci: quirk for data loss in ISOC transfers", " - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS", " - Input: xpad - support Acer NGR 200 Controller", " - usb:cdnsp: remove TRB_FLUSH_ENDPOINT command", " - usb: cdnsp: Replace snprintf() with the safer scnprintf() variant", " - usb: cdnsp: Fix issue with CV Bad Descriptor test", " - usb: dwc3: Abort suspend on soft disconnect failure", " - dma-buf: add dma_resv_for_each_fence_unlocked v8", " - dma-buf: use new iterator in dma_resv_wait_timeout", " - dma-buf: fix timeout handling in dma_resv_wait_timeout v2", " - wifi: zd1211rw: Fix potential NULL pointer dereference in", " zd_mac_tx_to_dev()", " - smb: server: make use of rdma_destroy_qp()", " - ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()", " - net: appletalk: Fix device refcount leak in atrtr_create()", " - net: phy: microchip: limit 100M workaround to link-down events on", " LAN88xx", " - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to", " debug level", " - net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam()", " - bnxt_en: Fix DCB ETS validation", " - atm: idt77252: Add missing `dma_map_error()`", " - um: vector: Reduce stack usage in vector_eth_configure()", " - net: usb: qmi_wwan: add SIMCom 8230C composition", " - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2", " - vt: add missing notification when switching back to text mode", " - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY", " - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras", " - Input: atkbd - do not skip atkbd_deactivate() when skipping", " ATKBD_CMD_GETID", " - x86/mm: Disable hugetlb page table sharing on 32-bit", " - Linux 5.15.189", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38067", " - rseq: Fix segfault on registration when rseq_cs is non-zero", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38074", " - vhost-scsi: protect vq->log_used with vq->mutex", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38439", " - bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38441", " - netfilter: flowtable: account for Ethernet header in", " nf_flow_pppoe_proto()", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38443", " - nbd: fix uaf in nbd_genl_connect() error path", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38444", " - raid10: cleanup memleak at raid10_make_request", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38445", " - md/raid1: Fix stack memory use after return in raid1_reshape", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38375", " - virtio-net: ensure the received length does not exceed allocated size", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38448", " - usb: gadget: u_serial: Fix race condition in TTY wakeup", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2024-44939", " - jfs: fix null ptr deref in dtInsertEntry", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2024-26775", " - aoe: avoid potential deadlock at set_capacity", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2022-48703", " - thermal/int340x_thermal: handle data_vault when the value is", " ZERO_SIZE_PTR", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38457", " - net/sched: Abort __tc_modify_qdisc if parent class does not exist", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38458", " - atm: clip: Fix NULL pointer dereference in vcc_sendmsg()", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38459", " - atm: clip: Fix infinite recursive call of clip_push().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38460", " - atm: clip: Fix potential null-ptr-deref in to_atmarpd().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38461", " - vsock: Fix transport_* TOCTOU", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38462", " - vsock: Fix transport_{g2h,h2g} TOCTOU", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38464", " - tipc: Fix use-after-free in tipc_conn_close().", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38465", " - netlink: Fix wraparounds of sk->sk_rmem_alloc.", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38466", " - perf: Revert to requiring CAP_SYS_ADMIN for uprobes", " * Jammy update: v5.15.189 upstream stable release (LP: #2118995) //", " CVE-2025-38467", " - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling", " * Jammy update: v5.15.188 upstream stable release (LP: #2118993)", " - Linux 5.15.188", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977)", " - cifs: Fix cifs_query_path_info() for Windows NT servers", " - NFSv4: Always set NLINK even if the server doesn't support it", " - NFSv4.2: fix listxattr to return selinux security label", " - mailbox: Not protect module_put with spin_lock_irqsave", " - mfd: max14577: Fix wakeup source leaks on device unbind", " - leds: multicolor: Fix intensity setting while SW blinking", " - hwmon: (pmbus/max34440) Fix support for max34451", " - ksmbd: allow a filename to contain special characters on SMB3.1.1 posix", " extension", " - dmaengine: xilinx_dma: Set dma_device directions", " - md/md-bitmap: fix dm-raid max_write_behind setting", " - iio: pressure: zpa2326: Use aligned_s64 for the timestamp", " - um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h", " - coresight: Only check bottom two claim bits", " - usb: dwc2: also exit clock_gating when stopping udc while suspended", " - usb: potential integer overflow in usbg_make_tpg()", " - usb: common: usb-conn-gpio: use a unique name for usb connector device", " - usb: Add checks for snprintf() calls in usb_alloc_dev()", " - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s", " - usb: typec: displayport: Receive DP Status Update NAK request exit dp", " altmode", " - ALSA: hda: Ignore unsol events for cards being shut down", " - ALSA: hda: Add new pci id for AMD GPU display HD audio controller", " - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock", " - ceph: fix possible integer overflow in ceph_zero_objects()", " - ovl: Check for NULL d_inode() in ovl_dentry_upper()", " - fs/jfs: consolidate sanity checking in dbMount", " - media: davinci: vpif: Fix memory leak in probe error path", " - media: omap3isp: use sgtable-based scatterlist wrappers", " - clk: ti: am43xx: Add clkctrl data for am43xx ADC1", " - media: imx-jpeg: Drop the first error frames", " - f2fs: don't over-report free space or inodes in statvfs", " - Drivers: hv: Rename 'alloced' to 'allocated'", " - Drivers: hv: vmbus: Add utility function for querying ring size", " - uio_hv_generic: Query the ringbuffer size for device", " - uio_hv_generic: Align ring size to system page", " - fbcon: delete a few unneeded forward decl", " - tty/vt: consolemap: rename and document struct uni_pagedir", " - vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen()", " - vgacon: remove unneeded forward declarations", " - tty: vt: make init parameter of consw::con_init() a bool", " - tty: vt: sanitize arguments of consw::con_clear()", " - tty: vt: make consw::con_switch() return a bool", " - dummycon: Trigger redraw when switching consoles with deferred takeover", " - platform/x86: ideapad-laptop: use usleep_range() for EC polling", " - i2c: tiny-usb: disable zero-length read messages", " - i2c: robotfuzz-osif: disable zero-length read messages", " - attach_recursive_mnt(): do not lock the covering tree when sliding", " something under it", " - libbpf: Fix null pointer dereference in btf_dump__free on allocation", " failure", " - wifi: mac80211: fix beacon interval calculation overflow", " - af_unix: Don't set -ECONNRESET for consumed OOB skb.", " - vsock/uapi: fix linux/vm_sockets.h userspace compilation errors", " - um: ubd: Add missing error check in start_io_thread()", " - net: enetc: Correct endianness handling in _enetc_rd_reg64", " - net: selftests: fix TCP packet checksum", " - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()", " - dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive", " - Bluetooth: L2CAP: Fix L2CAP MTU negotiation", " - dm-raid: fix variable in journal device check", " - btrfs: update superblock's device bytes_used when dropping chunk", " - HID: wacom: fix memory leak on kobject creation failure", " - HID: wacom: fix memory leak on sysfs attribute creation failure", " - HID: wacom: fix kobject reference count leak", " - drm/tegra: Assign plane type before registration", " - drm/tegra: Fix a possible null pointer dereference", " - drm/udl: Unregister device before cleaning up on disconnect", " - drm/amdkfd: Fix race in GWS queue scheduling", " - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()", " - drm/bridge: cdns-dsi: Fix connecting to next bridge", " - drm/bridge: cdns-dsi: Check return value when getting default PHY config", " - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready", " - drm/amd/display: Add null pointer check for get_first_active_display()", " - PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time", " - media: uvcvideo: Rollback non processed entities on error", " - s390/entry: Fix last breaking event handling in case of stack corruption", " - s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS", " - Revert \"ipv6: save dontfrag in cork\"", " - arm64: Restrict pagetable teardown to avoid false warning", " - ARM: 9354/1: ptrace: Use bitfield helpers", " - rtc: cmos: use spin_lock_irqsave in cmos_interrupt", " - vsock/vmci: Clear the vmci transport packet properly when initializing", " it", " - mmc: sdhci: Add a helper function for dump register in dynamic debug", " mode", " - Revert \"mmc: sdhci: Disable SD card clock before changing parameters\"", " - usb: typec: altmodes/displayport: do not index invalid pin_assignments", " - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data", " - mtk-sd: Prevent memory corruption from DMA map failure", " - mtk-sd: reset host->mrq on prepare_data() error", " - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment", " - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert", " - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.", " - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN", " - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()", " - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()", " - scsi: ufs: core: Fix spelling of a sysfs attribute name", " - RDMA/mlx5: Fix CC counters query for MPV", " - btrfs: fix missing error handling when searching for inode refs during", " log replay", " - drm/exynos: fimd: Guard display clock control with runtime PM calls", " - spi: spi-fsl-dspi: Clear completion counter before initiating transfer", " - drm/i915/selftests: Change mock_request() to return error pointers", " - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs", " callbacks", " - drm/i915/gt: Fix timeline left held on VMA alloc error", " - igc: disable L1.2 PCI-E link substate to avoid performance issue", " - lib: test_objagg: Set error message in check_expect_hints_stats()", " - amd-xgbe: align CL37 AN sequence as per databook", " - enic: fix incorrect MTU comparison in enic_change_mtu()", " - rose: fix dangling neighbour pointers in rose_rt_device_down()", " - nui: Fix dma_mapping_error() check", " - drm/msm: Fix a fence leak in submit error path", " - ALSA: sb: Don't allow changing the DMA mode during operations", " - ALSA: sb: Force to disable DMAs once when DMA mode is changed", " - ata: pata_cs5536: fix build on 32-bit UML", " - powerpc: Fix struct termio related ioctl macros", " - scsi: target: Fix NULL pointer dereference in", " core_scsi3_decode_spec_i_port()", " - wifi: mac80211: drop invalid source address OCB frames", " - wifi: ath6kl: remove WARN on bad firmware input", " - ACPICA: Refuse to evaluate a method if arguments are missing", " - mtd: spinand: fix memory leak of ECC engine conf", " - rcu: Return early if callback is not specified", " - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier", " - regulator: gpio: Add input_supply support in gpio_regulator_config", " - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods", " - drm/v3d: Disable interrupts before resetting the GPU", " - NFSv4/flexfiles: Fix handling of NFS level errors in I/O", " - ethernet: atl1: Add missing DMA mapping error checks and count errors", " - dpaa2-eth: Update dpni_get_single_step_cfg command", " - dpaa2-eth: Update SINGLE_STEP register access", " - net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats", " - dpaa2-eth: fix xdp_rxq_info leak", " - platform/x86: think-lmi: Fix class device unregistration", " - platform/x86: dell-wmi-sysman: Fix class device unregistration", " - xhci: dbctty: disable ECHO flag by default", " - xhci: dbc: Flush queued requests before stopping dbc", " - usb: cdnsp: do not disable slot for disabled slot", " - i2c/designware: Fix an initialization issue", " - Logitech C-270 even more broken", " - platform/x86: think-lmi: Create ksets consecutively", " - usb: typec: displayport: Fix potential deadlock", " - [Config] enable TSA mitigation", " - KVM: x86: add support for CPUID leaf 0x80000021", " - Linux 5.15.187", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2024-36350 // CVE-2024-36357", " - x86/bugs: Rename MDS machinery to something more generic", " - x86/bugs: Add a Transient Scheduler Attacks mitigation", " - x86/CPU/AMD: Properly check the TSA microcode", " - x86: Fix X86_FEATURE_VERW_CLEAR definition", " - KVM: SVM: Advertise TSA CPUID bits to guests", " - x86/process: Move the buffer clearing before MONITOR", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2024-26726", " - btrfs: don't drop extent_map for free space inode on write error", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38245", " - atm: Release atm_dev_mutex after removing procfs in", " atm_dev_deregister().", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38249", " - ALSA: usb-audio: Fix out-of-bounds read in", " snd_usb_get_audioformat_uac3()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38251", " - atm: clip: prevent NULL deref in clip_push()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38257", " - s390/pkey: Prevent overflow in size calculation for memdup_user()", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38230", " - jfs: validate AG parameters in dbMount() to prevent crashes", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38262", " - tty: serial: uartlite: register uart driver in init", " * Jammy update: v5.15.187 upstream stable release (LP: #2118977) //", " CVE-2025-38263", " - bcache: fix NULL pointer in cache_set_flush()", " * Jammy update: v5.15.186 upstream stable release (LP: #2116904)", " - tracing: Fix compilation warning on arm32", " - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31", " - pinctrl: armada-37xx: set GPIO output value before setting direction", " - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()", " - rtc: Make rtc_time64_to_tm() support dates before 1970", " - rtc: Fix offset calculation for .start_secs < 0", " - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE", " - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device", " - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB", " - usb: usbtmc: Fix timeout value in get_stb", " - thunderbolt: Do not double dequeue a configuration request", " - gfs2: gfs2_create_inode error handling fix", " - perf/core: Fix broken throttling when max_samples_per_tick=1", " - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions", " - x86/cpu: Sanitize CPUID(0x80000000) output", " - crypto: marvell/cesa - Handle zero-length skcipher requests", " - crypto: marvell/cesa - Avoid empty transfer descriptor", " - crypto: lrw - Only add ecb if it is not already there", " - crypto: xts - Only add ecb if it is not already there", " - crypto: sun8i-ce - move fallback ahash_request to the end of the struct", " - EDAC/skx_common: Fix general protection fault", " - power: reset: at91-reset: Optimize at91_reset()", " - PM: wakeup: Delete space in the end of string shown by", " pm_show_wakelocks()", " - x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()", " - ACPI: OSI: Stop advertising support for \"3.0 _SCP Extensions\"", " - spi: sh-msiof: Fix maximum DMA transfer size", " - drm/amd/pp: Fix potential NULL pointer dereference in", " atomctrl_initialize_mc_reg_table", " - media: rkvdec: Fix frame size enumeration", " - fs/ntfs3: handle hdr_first_de() return value", " - m68k: mac: Fix macintosh_config for Mac II", " - firmware: psci: Fix refcount leak in psci_dt_init", " - selftests/seccomp: fix syscall_restart test for arm compat", " - drm: rcar-du: Fix memory leak in rcar_du_vsps_init()", " - drm/vkms: Adjust vkms_state->active_planes allocation type", " - drm/tegra: rgb: Fix the unbound reference count", " - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES", " - wifi: ath11k: fix node corruption in ar->arvifs list", " - IB/cm: use rwlock for MAD agent lock", " - bpf, sockmap: fix duplicated data transmission", " - f2fs: fix to do sanity check on sbi->total_valid_block_count", " - net: ncsi: Fix GCPS 64-bit member variables", " - libbpf: Fix buffer overflow in bpf_object__init_prog", " - wifi: rtw88: do not ignore hardware read error during DPK", " - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h", " - iommu: Protect against overflow in iommu_pgsize()", " - f2fs: clean up w/ fscrypt_is_bounce_page()", " - f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()", " - libbpf: Use proper errno value in linker", " - netfilter: bridge: Move specific fragmented packet to slow_path instead", " of dropping it", " - netfilter: nft_quota: match correctly when the quota just depleted", " - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction", " - bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ", " - clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs", " - clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()", " - ktls, sockmap: Fix missing uncharge operation", " - libbpf: Use proper errno value in nlattr", " - pinctrl: at91: Fix possible out-of-boundary access", " - bpf: Fix WARN() in get_bpf_raw_tp_regs", " - clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz", " - s390/bpf: Store backchain even for leaf progs", " - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds", " - wifi: ath9k_htc: Abort software beacon handling if disabled", " - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy", " - vfio/type1: Fix error unwind in migration dirty bitmap allocation", " - bpf, sockmap: Avoid using sk_socket after free when sending", " - netfilter: nft_tunnel: fix geneve_opt dump", " - net: usb: aqc111: fix error handling of usbnet read calls", " - bpf: Avoid __bpf_prog_ret0_warn when jit fails", " - net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy", " - calipso: Don't call calipso functions for AF_INET sk.", " - net: openvswitch: Fix the dead loop of MPLS parse", " - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames", " - f2fs: use d_inode(dentry) cleanup dentry->d_inode", " - f2fs: fix to correct check conditions in f2fs_cross_rename", " - ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select", " - ARM: dts: at91: at91sam9263: fix NAND chip selects", " - arm64: dts: imx8mm-beacon: Fix RTC capacitive load", " - arm64: dts: imx8mn-beacon: Fix RTC capacitive load", " - Squashfs: check return result of sb_min_blocksize", " - ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery", " - nilfs2: add pointer check for nilfs_direct_propagate()", " - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()", " - bus: fsl-mc: fix double-free on mc_dev", " - ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon", " device", " - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399", " Puma with Haikou", " - soc: aspeed: lpc: Fix impossible judgment condition", " - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()", " - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()", " - perf build: Warn when libdebuginfod devel files are not available", " - perf ui browser hists: Set actions->thread before calling", " do_zoom_thread()", " - backlight: pm8941: Add NULL check in wled_configure()", " - perf scripts python: exported-sql-viewer.py: Fix pattern matching with", " Python 3", " - remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe", " - rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()", " - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in", " exynos_lpass_remove()", " - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE", " - perf tests switch-tracking: Fix timestamp comparison", " - perf record: Fix incorrect --user-regs comments", " - nfs: clear SB_RDONLY before getting superblock", " - nfs: ignore SB_RDONLY when remounting nfs", " - rtc: sh: assign correct interrupts with DT", " - PCI: cadence: Fix runtime atomic count underflow", " - dmaengine: ti: Add NULL check in udma_probe()", " - PCI/DPC: Initialize aer_err_info before using it", " - usb: renesas_usbhs: Reorder clock handling and power management in probe", " - serial: Fix potential null-ptr-deref in mlb_usio_probe()", " - iio: adc: ad7124: Fix 3dB filter frequency reading", " - MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a", " - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()", " - net: stmmac: platform: guarantee uniqueness of bus_id", " - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt", " - net: tipc: fix refcount warning in tipc_aead_encrypt", " - driver: net: ethernet: mtk_star_emac: fix suspend/resume issue", " - net/mlx4_en: Prevent potential integer overflow calculating Hz", " - spi: bcm63xx-spi: fix shared reset", " - spi: bcm63xx-hsspi: fix shared reset", " - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION", " - ice: create new Tx scheduler nodes for new queues only", " - net: dsa: tag_brcm: legacy: fix pskb_may_pull length", " - vmxnet3: correctly report gso type for UDP tunnels", " - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices", " - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO", " - netfilter: nf_set_pipapo_avx2: fix initial map fill", " - wireguard: device: enable threaded NAPI", " - seg6: Fix validation of nexthop addresses", " - fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)", " - do_change_type(): refuse to operate on unmounted/not ours mounts", " - pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()", " - Input: synaptics-rmi4 - convert to use sysfs_emit() APIs", " - Input: synaptics-rmi - fix crash with unsupported versions of F34", " - arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property", " - arm64: dts: ti: k3-am65-main: Fix sdhci node properties", " - arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0", " - serial: sh-sci: Check if TX data was written to device in .tx_empty()", " - serial: sh-sci: Move runtime PM enable to sci_probe_single()", " - serial: sh-sci: Clean sci_ports[0] after at earlycon exit", " - scsi: core: ufs: Fix a hang in the error handler", " - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()", " - ath10k: snoc: fix unbalanced IRQ enable in crash recovery", " - scsi: iscsi: Fix incorrect error path labels for flashnode operations", " - net_sched: sch_sfq: fix a potential crash on gso_skb handling", " - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap", " - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()", " - drm/meson: use unsigned long long / Hz for frequency types", " - drm/meson: fix debug log statement when setting the HDMI clocks", " - drm/meson: use vclk_freq instead of pixel_freq in debug print", " - drm/meson: fix more rounding issues with 59.94Hz modes", " - i40e: return false from i40e_reset_vf if reset is in progress", " - i40e: retry VFLR handling if there is ongoing VF reset", " - net: Fix TOCTOU issue in sk_is_readable()", " - macsec: MACsec SCI assignment for ES = 0", " - net: mdio: C22 is now optional, EOPNOTSUPP if not provided", " - net/mdiobus: Fix potential out-of-bounds read/write access", " - net/mlx5: Ensure fw pages are always allocated on same NUMA", " - net/mlx5: Fix return value when searching for existing flow group", " - net_sched: red: fix a race in __red_change()", " - net_sched: tbf: fix a race in tbf_change()", " - net_sched: ets: fix a race in ets_qdisc_change()", " - fs/filesystems: Fix potential unsigned integer underflow in fs_name()", " - nvmet-fcloop: access fcpreq only when holding reqlock", " - perf: Ensure bpf_perf_link path is properly serialized", " - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1", " - posix-cpu-timers: fix race between handle_posix_cpu_timers() and", " posix_cpu_timer_del()", " - x86/boot/compressed: prefer cc-option for CFLAGS additions", " - MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option", " - MIPS: Prefer cc-option for additions to cflags", " - kbuild: Update assembler calls to use proper flags and language target", " - drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang", " - mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation", " - kbuild: Add CLANG_FLAGS to as-instr", " - kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS", " - kbuild: Add KBUILD_CPPFLAGS to as-option invocation", " - drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for", " clang", " - usb: usbtmc: Fix read_stb function and get_stb ioctl", " - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify", " - usb: cdnsp: Fix issue with detecting command completion event", " - usb: cdnsp: Fix issue with detecting USB 3.2 speed", " - usb: Flush altsetting 0 endpoints before reinitializating them after", " reset.", " - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()", " - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall", " - x86/iopl: Cure TIF_IO_BITMAP inconsistencies", " - calipso: unlock rcu before returning -EAFNOSUPPORT", " - net: usb: aqc111: debug info before sanitation", " - drm/meson: Use 1000ULL when operating with mode->clock", " - kbuild: userprogs: fix bitsize and target detection on clang", " - kbuild: hdrcheck: fix cross build with clang", " - xfs: allow inode inactivation during a ro mount log recovery", " - configfs: Do not override creating attribute file failure in", " populate_attrs()", " - crypto: marvell/cesa - Do not chain submitted requests", " - gfs2: move msleep to sleepable context", " - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params()", " - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing", " - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power", " states", " - net/mlx5_core: Add error handling", " inmlx5_query_nic_vport_qkey_viol_cntr()", " - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()", " - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()", " - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request", " - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference", " - jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()", " - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723", " - media: ov8856: suppress probe deferral errors", " - media: ccs-pll: Start VT pre-PLL multiplier search from correct value", " - media: ccs-pll: Start OP pre-PLL multiplier search from correct value", " - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div", " - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case", " - media: cxusb: no longer judge rbuf when the write fails", " - media: gspca: Add error handling for stv06xx_read_sensor()", " - media: v4l2-dev: fix error handling in __video_register_device()", " - media: venus: Fix probe error handling", " - media: videobuf2: use sgtable-based scatterlist wrappers", " - media: vidtv: Terminating the subsequent process of initialization", " failure", " - media: vivid: Change the siize of the composing", " - media: uvcvideo: Return the number of processed controls", " - media: uvcvideo: Send control events for partial succeeds", " - media: uvcvideo: Fix deferred probing error", " - ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap()", " - ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4", " - bus: mhi: host: Fix conflict between power_up and SYSERR", " - can: tcan4x5x: fix power regulator retrieval during probe", " - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330", " - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device", " - bus: fsl-mc: fix GET/SET_TAILDROP command ids", " - ext4: inline: fix len overflow in ext4_prepare_inline_data", " - ext4: fix calculation of credits for extent tree modification", " - ext4: factor out ext4_get_maxbytes()", " - ext4: ensure i_size is smaller than maxbytes", " - Input: ims-pcu - check record size in ims_pcu_flash_firmware()", " - f2fs: prevent kernel warning due to negative i_nlink from corrupted", " image", " - f2fs: fix to do sanity check on sit_bitmap_size", " - NFC: nci: uart: Set tty->disc_data only in success path", " - EDAC/altera: Use correct write width with the INTTEST register", " - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var", " - vgacon: Add check for vc_origin address range in vgacon_scroll()", " - parisc: fix building with gcc-15", " - clk: meson-g12a: add missing fclk_div2 to spicc", " - ipc: fix to protect IPCS lookups using RCU", " - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction", " - mm: fix ratelimit_pages update error in dirty_ratio_handler()", " - mtd: rawnand: sunxi: Add randomizer configuration in", " sunxi_nfc_hw_ecc_write_chunk", " - mtd: nand: sunxi: Add randomizer configuration before randomizer enable", " - dm-mirror: fix a tiny race condition", " - ftrace: Fix UAF when lookup kallsym after ftrace disabled", " - net: ch9200: fix uninitialised access during mii_nway_restart", " - staging: iio: ad5933: Correct settling cycles encoding per datasheet", " - mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS", " - regulator: max14577: Add error check for max14577_read_reg()", " - remoteproc: core: Cleanup acquired resources when", " rproc_handle_resources() fails in rproc_attach()", " - remoteproc: core: Release rproc->clean_table after rproc_attach() fails", " - uio_hv_generic: Use correct size for interrupt and monitor pages", " - PCI: cadence-ep: Correct PBA offset in .set_msix() callback", " - PCI: Add ACS quirk for Loongson PCIe", " - PCI: Fix lock symmetry in pci_slot_unlock()", " - PCI: dw-rockchip: Fix PHY function call sequence in", " rockchip_pcie_phy_deinit()", " - iio: accel: fxls8962af: Fix temperature scan element sign", " - iio: imu: inv_icm42600: Fix temperature calculation", " - iio: adc: ad7606_spi: fix reg write value mask", " - ACPICA: fix acpi operand cache leak in dswstate.c", " - clocksource: Fix the CPUs' choice in the watchdog per CPU verification", " - ACPICA: Avoid sequence overread in call to strncmp()", " - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change", " - ACPI: bus: Bail out if acpi_kobj registration fails", " - ACPICA: fix acpi parse and parseext cache leaks", " - power: supply: bq27xxx: Retrieve again when busy", " - ACPICA: utilities: Fix overflow check in vsnprintf()", " - ASoC: tegra210_ahub: Add check to of_device_get_match_data()", " - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn()", " - ACPI: battery: negate current when discharging", " - drm/amdgpu/gfx6: fix CSIB handling", " - sunrpc: update nextcheck time when adding new cache entries", " - drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling", " disable_irq()", " - exfat: fix double free in delayed_free", " - drm/bridge: anx7625: change the gpiod_set_value API", " - media: i2c: imx334: Enable runtime PM before sub-device registration", " - drm/msm/hdmi: add runtime PM calls to DDC transfer function", " - media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition", " - drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit()", " - drm/msm/a6xx: Increase HFI response timeout", " - media: i2c: imx334: Fix runtime PM handling in remove function", " - drm/amdgpu/gfx10: fix CSIB handling", " - media: ccs-pll: Better validate VT PLL branch", " - media: uapi: v4l: Change V4L2_TYPE_IS_CAPTURE condition", " - drm/amdgpu/gfx7: fix CSIB handling", " - ext4: ext4: unify EXT4_EX_NOCACHE|NOFAIL flags in", " ext4_ext_remove_space()", " - jfs: fix array-index-out-of-bounds read in add_missing_indices", " - media: ti: cal: Fix wrong goto on error path", " - media: rkvdec: Initialize the m2m context before the controls", " - sunrpc: fix race in cache cleanup causing stale nextcheck time", " - ext4: prevent stale extent cache entries caused by concurrent get", " es_cache", " - drm/amdgpu/gfx8: fix CSIB handling", " - drm/amdgpu/gfx9: fix CSIB handling", " - jfs: Fix null-ptr-deref in jfs_ioc_trim", " - drm/msm/dpu: don't select single flush for active CTL blocks", " - drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB", " - media: tc358743: ignore video while HPD is low", " - media: platform: exynos4-is: Add hardware sync wait to", " fimc_is_hw_change_mode()", " - media: i2c: imx334: update mode_3840x2160_regs array", " - nios2: force update_mmu_cache on spurious tlb-permission--related", " pagefaults", " - pmdomain: ti: Fix STANDBY handling of PER power domain", " - thermal/drivers/qcom/tsens: Update conditions to strictly evaluate for", " IP v2+", " - cpufreq: Force sync policy boost with global boost on sysfs update", " - net: macb: Check return value of dma_set_mask_and_coherent()", " - tipc: use kfree_sensitive() for aead cleanup", " - i2c: designware: Invoke runtime suspend on quick slave re-registration", " - emulex/benet: correct command version selection in be_cmd_get_stats()", " - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R", " - sctp: Do not wake readers in __sctp_write_space()", " - cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs", " - i2c: npcm: Add clock toggle recovery", " - net: dlink: add synchronization for stats update", " - tcp: always seek for minimal rtt in tcp_rcv_rtt_update()", " - tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows", " - ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT", " - net: atlantic: generate software timestamp just before the doorbell", " - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name()", " - pinctrl: armada-37xx: propagate error from", " armada_37xx_gpio_get_direction()", " - pinctrl: armada-37xx: propagate error from", " armada_37xx_pmx_gpio_set_direction()", " - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get()", " - net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info", " - wifi: mac80211: do not offer a mesh path if forwarding is disabled", " - clk: rockchip: rk3036: mark ddrphy as critical", " - libbpf: Add identical pointer detection to btf_dedup_is_equiv()", " - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64", " commands", " - iommu/amd: Ensure GA log notifier callbacks finish running before module", " unload", " - net: bridge: mcast: re-implement br_multicast_{enable, disable}_port", " functions", " - vxlan: Do not treat dst cache initialization errors as fatal", " - software node: Correct a OOB check in software_node_get_reference_args()", " - pinctrl: mcp23s08: Reset all pins to input at probe", " - scsi: lpfc: Use memcpy() for BIOS version", " - sock: Correct error checking condition for (assign|release)_proto_idx()", " - i40e: fix MMIO write access to an invalid page in i40e_clear_hw", " - bpf, sockmap: Fix data lost during EAGAIN retries", " - octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer()", " - watchdog: da9052_wdt: respect TWDMIN", " - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value", " - ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY", " - tee: Prevent size calculation wraparound on 32-bit kernels", " - Revert \"bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices", " first\"", " - platform/x86: dell_rbu: Fix list usage", " - platform/x86: dell_rbu: Stop overwriting data buffer", " - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH", " recovery", " - Revert \"x86/bugs: Make spectre user default depend on", " MITIGATION_SPECTRE_V2\" on v6.6 and older", " - drivers/rapidio/rio_cm.c: prevent possible heap overwrite", " - jffs2: check that raw node were preallocated before writing summary", " - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places", " - scsi: storvsc: Increase the timeouts to storvsc_timeout", " - scsi: s390: zfcp: Ensure synchronous unit_add", " - udmabuf: use sgtable-based scatterlist wrappers", " - selftests/x86: Add a test to detect infinite SIGTRAP handler loop", " - selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len", " - atm: Revert atm_account_tx() if copy_from_iter_full() fails.", " - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()", " - block: default BLOCK_LEGACY_AUTOLOAD to y", " - Input: sparcspkr - avoid unannotated fall-through", " - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound", " card", " - ALSA: hda/intel: Add Thinkpad E15 to PM deny list", " - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged", " - iio: accel: fxls8962af: Fix temperature calculation", " - mm/hugetlb: unshare page tables during VMA split, not before", " - mm: hugetlb: independent PMD page table shared count", " - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race", " - erofs: remove unused trace event erofs_destroy_inode", " - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate", " - drm/nouveau/bl: increase buffer size to avoid truncate warning", " - hwmon: (occ) Add soft minimum power cap attribute", " - hwmon: (occ) Rework attribute registration for stack usage", " - hwmon: (occ) fix unaligned accesses", " - pldmfw: Select CRC32 when PLDMFW is selected", " - aoe: clean device rq_list in aoedev_downdev()", " - net: ice: Perform accurate aRFS flow match", " - ptp: fix breakage after ptp_vclock_in_use() rework", " - wifi: carl9170: do not ping device which has failed to load firmware", " - mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().", " - atm: atmtcp: Free invalid length skb in atmtcp_c_send().", " - tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen()", " behavior", " - tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer", " - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().", " - net: atm: add lec_mutex", " - net: atm: fix /proc/net/atm/lec handling", " - ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board", " - ARM: dts: am335x-bone-common: Increase MDIO reset deassert time", " - ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms", " - serial: sh-sci: Increment the runtime usage counter for the earlycon", " device", " - Revert \"cpufreq: tegra186: Share policy per cluster\"", " - arm64: move AARCH64_BREAK_FAULT into insn-def.h", " - arm64: insn: add encoders for atomic operations", " - arm64: insn: Add support for encoding DSB", " - arm64: proton-pack: Expose whether the platform is mitigated by firmware", " - arm64: proton-pack: Expose whether the branchy loop k value", " - arm64: spectre: increase parameters that can be used to turn off bhb", " mitigation individually", " - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs", " - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users", " - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation", " - net_sched: sch_sfq: reject invalid perturb period", " - mm/huge_memory: fix dereferencing invalid pmd migration entry", " - ext4: make 'abort' mount option handling standard", " - ext4: avoid remount errors with 'abort' mount option", " - net: Fix checksum update for ILA adj-transport", " - bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE", " - s390/pci: Fix __pcilg_mio_inuser() inline assembly", " - perf: Fix sample vs do_exit()", " - arm64/ptrace: Fix stack-out-of-bounds read in", " regs_get_kernel_stack_nth()", " - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter()", " - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops", " - Linux 5.15.186", " * CVE-2024-57996 // CVE-2025-37752", " - net_sched: sch_sfq: annotate data-races around q->perturb_period", " - net_sched: sch_sfq: handle bigger packets", " - net_sched: sch_sfq: don't allow 1 packet limit", " - net_sched: sch_sfq: use a temporary work area for validating", " configuration", " - net_sched: sch_sfq: move the limit validation", " * CVE-2025-38350", " - net/sched: Always pass notifications when child class becomes empty", " * CVE-2024-27407", " - fs/ntfs3: Fixed overflow check in mi_enum_attr()", " * watchdog: BUG: soft lockup - CPU#6 stuck for 5718s! [wdavdaemon:1134] with", " 5.15.0-144-generic (LP: #2118407)", " - fs/proc: do_task_stat: use __for_each_thread()", "" ], "package": "linux-kvm", "version": "5.15.0-1088.93", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2120084, 1786013, 2120207, 2118499, 2120098, 1786013, 2107816, 2115238, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118995, 2118993, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2118977, 2116904, 2118407 ], "author": "Zixing Liu ", "date": "Fri, 22 Aug 2025 15:58:05 +0800" } ], "notes": "linux-modules-5.15.0-1088-kvm version '5.15.0-1088.93' (source package linux-kvm version '5.15.0-1088.93') was added. linux-modules-5.15.0-1088-kvm version '5.15.0-1088.93' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1087-kvm. As such we can use the source package version of the removed package, '5.15.0-1087.92', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-1087-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1087.92", "version": "5.15.0-1087.92" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-5.15.0-1087-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1087.92", "version": "5.15.0-1087.92" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-kvm-headers-5.15.0-1087", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1087.92", "version": "5.15.0-1087.92" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-5.15.0-1087-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1087.92", "version": "5.15.0-1087.92" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20250924 to 20251001", "from_series": "jammy", "to_series": "jammy", "from_serial": "20250924", "to_serial": "20251001", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }