{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.8.0-64-generic", "linux-modules-6.8.0-64-generic" ], "removed": [ "linux-image-6.8.0-60-generic", "linux-modules-6.8.0-60-generic" ], "diff": [ "apport", "apport-core-dump-handler", "bsdutils", "fdisk", "gpgv", "gzip", "libblkid1", "libc-bin", "libc6", "libfdisk1", "libgnutls30t64", "libmount1", "libnetplan1", "libpam-systemd", "libpython3.12-minimal", "libpython3.12-stdlib", "libsmartcols1", "libssh-4", "libsystemd-shared", "libsystemd0", "libudev1", "libuuid1", "linux-image-virtual", "mount", "netplan-generator", "netplan.io", "openssh-client", "openssh-server", "openssh-sftp-server", "python3-apport", "python3-netplan", "python3-problem-report", "python3-urllib3", "python3.12", "python3.12-minimal", "sudo", "systemd", "systemd-dev", "systemd-resolved", "systemd-sysv", "systemd-timesyncd", "ubuntu-pro-client", "udev", "util-linux" ] } }, "diff": { "deb": [ { "name": "apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.7", "version": "2.28.1-0ubuntu3.7" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.8", "version": "2.28.1-0ubuntu3.8" }, "cves": [], "launchpad_bugs_fixed": [ 2112466 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: exception during core dump handling (LP: #2112466)", " - d/p/apport-Do-not-hide-FileNotFoundError-during-crash-handlin.patch:", " Do not hide FileNotFoundError during crash handling.", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2112466 ], "author": "Octavio Galland ", "date": "Tue, 08 Jul 2025 11:50:50 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "apport-core-dump-handler", "from_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.7", "version": "2.28.1-0ubuntu3.7" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.8", "version": "2.28.1-0ubuntu3.8" }, "cves": [], "launchpad_bugs_fixed": [ 2112466 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: exception during core dump handling (LP: #2112466)", " - d/p/apport-Do-not-hide-FileNotFoundError-during-crash-handlin.patch:", " Do not hide FileNotFoundError during crash handling.", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2112466 ], "author": "Octavio Galland ", "date": "Tue, 08 Jul 2025 11:50:50 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "bsdutils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "1:2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "1:2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "fdisk", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgv", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.2", "version": "2.4.4-2ubuntu17.2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2114775 ], "changes": [ { "cves": [ { "cve": "CVE-2025-30258", "url": "https://ubuntu.com/security/CVE-2025-30258", "cve_description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "cve_priority": "medium", "cve_public_date": "2025-03-19 20:15:00 UTC" } ], "log": [ "", " * debian/patches/fix-key-validity-regression-due-to-CVE-2025-", " 30258.patch:", " - Fix a key validity regression following patches for CVE-2025-30258,", " causing trusted \"certify-only\" primary keys to be ignored when checking", " signature on user IDs and computing key validity. This regression makes", " imported keys signed by a trusted \"certify-only\" key have an unknown", " validity (LP: #2114775).", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2114775 ], "author": "dcpi ", "date": "Thu, 26 Jun 2025 13:17:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gzip", "from_version": { "source_package_name": "gzip", "source_package_version": "1.12-1ubuntu3", "version": "1.12-1ubuntu3" }, "to_version": { "source_package_name": "gzip", "source_package_version": "1.12-1ubuntu3.1", "version": "1.12-1ubuntu3.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083700 ], "changes": [ { "cves": [], "log": [ "", " * d/p/0001-maint-fix-s390-buffer-flushes.patch: align the behavior of", " dfltcc_inflate to do the same as gzip_inflate when it hits a premature EOF", " (LP: #2083700)", "" ], "package": "gzip", "version": "1.12-1ubuntu3.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083700 ], "author": "Andreas Hasenack ", "date": "Mon, 27 Jan 2025 13:56:44 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libblkid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.39-0ubuntu8.4", "version": "2.39-0ubuntu8.4" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.39-0ubuntu8.5", "version": "2.39-0ubuntu8.5" }, "cves": [ { "cve": "CVE-2025-5702", "url": "https://ubuntu.com/security/CVE-2025-5702", "cve_description": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-5702", "url": "https://ubuntu.com/security/CVE-2025-5702", "cve_description": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: insecure power10 strcmp implementation", " - debian/patches/any/CVE-2025-5702.patch: remove power10 optimized", " strcmp.", " - CVE-2025-5702", " * Moved other security patches to debian/patches/any.", "" ], "package": "glibc", "version": "2.39-0ubuntu8.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 09 Jul 2025 12:47:47 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6", "from_version": { "source_package_name": "glibc", "source_package_version": "2.39-0ubuntu8.4", "version": "2.39-0ubuntu8.4" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.39-0ubuntu8.5", "version": "2.39-0ubuntu8.5" }, "cves": [ { "cve": "CVE-2025-5702", "url": "https://ubuntu.com/security/CVE-2025-5702", "cve_description": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-5702", "url": "https://ubuntu.com/security/CVE-2025-5702", "cve_description": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.", "cve_priority": "medium", "cve_public_date": "2025-06-05 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: insecure power10 strcmp implementation", " - debian/patches/any/CVE-2025-5702.patch: remove power10 optimized", " strcmp.", " - CVE-2025-5702", " * Moved other security patches to debian/patches/any.", "" ], "package": "glibc", "version": "2.39-0ubuntu8.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 09 Jul 2025 12:47:47 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfdisk1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgnutls30t64", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.3-1.1ubuntu3.3", "version": "3.8.3-1.1ubuntu3.3" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.3-1.1ubuntu3.4", "version": "3.8.3-1.1ubuntu3.4" }, "cves": [ { "cve": "CVE-2025-32988", "url": "https://ubuntu.com/security/CVE-2025-32988", "cve_description": "A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-32989", "url": "https://ubuntu.com/security/CVE-2025-32989", "cve_description": "A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-32990", "url": "https://ubuntu.com/security/CVE-2025-32990", "cve_description": "A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.", "cve_priority": "medium", "cve_public_date": "2025-07-10 10:15:00 UTC" }, { "cve": "CVE-2025-6395", "url": "https://ubuntu.com/security/CVE-2025-6395", "cve_description": "A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().", "cve_priority": "medium", "cve_public_date": "2025-07-10 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-32988", "url": "https://ubuntu.com/security/CVE-2025-32988", "cve_description": "A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-32989", "url": "https://ubuntu.com/security/CVE-2025-32989", "cve_description": "A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.", "cve_priority": "medium", "cve_public_date": "2025-07-10 08:15:00 UTC" }, { "cve": "CVE-2025-32990", "url": "https://ubuntu.com/security/CVE-2025-32990", "cve_description": "A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.", "cve_priority": "medium", "cve_public_date": "2025-07-10 10:15:00 UTC" }, { "cve": "CVE-2025-6395", "url": "https://ubuntu.com/security/CVE-2025-6395", "cve_description": "A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().", "cve_priority": "medium", "cve_public_date": "2025-07-10 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: double-free via otherName in the SAN", " - debian/patches/CVE-2025-32988.patch: avoid double free when exporting", " othernames in SAN in lib/x509/extensions.c.", " - CVE-2025-32988", " * SECURITY UPDATE: OOB read via malformed length field in SCT extension", " - debian/patches/CVE-2025-32989.patch: fix read buffer overrun in SCT", " timestamps in lib/x509/x509_ext.c.", " - CVE-2025-32989", " * SECURITY UPDATE: heap write overflow in certtool via invalid template", " - debian/patches/CVE-2025-32990.patch: avoid 1-byte write buffer", " overrun when parsing template in src/certtool-cfg.c,", " tests/cert-tests/Makefile.am, tests/cert-tests/template-test.sh,", " tests/cert-tests/templates/template-too-many-othernames.tmpl.", " - CVE-2025-32990", " * SECURITY UPDATE: NULL deref via missing PSK in TLS 1.3 handshake", " - debian/patches/CVE-2025-6395.patch: clear HSK_PSK_SELECTED when", " resetting binders in lib/handshake.c, lib/state.c, tests/Makefile.am,", " tests/tls13/hello_retry_request_psk.c.", " - CVE-2025-6395", "" ], "package": "gnutls28", "version": "3.8.3-1.1ubuntu3.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 11 Jul 2025 08:58:05 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmount1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan1", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.1", "version": "1.1.2-2~ubuntu24.04.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.2", "version": "1.1.2-2~ubuntu24.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083029, 2083029 ], "changes": [ { "cves": [], "log": [ "", " * Add integration tests for `netplan try`", " - d/p/lp2083029/0007-tests-integration-netplan-try.patch", " * Fix networkd file permissions during `netplan try` restore (LP: #2083029)", " - d/p/lp2083029/0008-cli-ConfigManager-must-copy-file-ownership.patch", " * Prevent netplan-generate from running during `netplan try` (LP: #2083029)", " - d/p/lp2083029/0009-generate-Don-t-run-during-netplan-try.patch", "" ], "package": "netplan.io", "version": "1.1.2-2~ubuntu24.04.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083029, 2083029 ], "author": "Wesley Hershberger ", "date": "Thu, 17 Apr 2025 10:46:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.6", "version": "3.12.3-1ubuntu0.6" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.7", "version": "3.12.3-1ubuntu0.7" }, "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper", " tar filtering.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in", " ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter", " to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and", " unfiltered to ./Lib/tarfile.py. Modify tests.", " - CVE-2024-12718", " - CVE-2025-4138", " - CVE-2025-4330", " - CVE-2025-4435", " - CVE-2025-4517", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 18 Jun 2025 15:29:45 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-stdlib", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.6", "version": "3.12.3-1ubuntu0.6" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.7", "version": "3.12.3-1ubuntu0.7" }, "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper", " tar filtering.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in", " ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter", " to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and", " unfiltered to ./Lib/tarfile.py. Modify tests.", " - CVE-2024-12718", " - CVE-2025-4138", " - CVE-2025-4330", " - CVE-2025-4435", " - CVE-2025-4517", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 18 Jun 2025 15:29:45 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsmartcols1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssh-4", "from_version": { "source_package_name": "libssh", "source_package_version": "0.10.6-2build2", "version": "0.10.6-2build2" }, "to_version": { "source_package_name": "libssh", "source_package_version": "0.10.6-2ubuntu0.1", "version": "0.10.6-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2025-4877", "url": "https://ubuntu.com/security/CVE-2025-4877", "cve_description": "Write beyond bounds in binary to base64 conversion functions", "cve_priority": "medium", "cve_public_date": "2025-06-25" }, { "cve": "CVE-2025-4878", "url": "https://ubuntu.com/security/CVE-2025-4878", "cve_description": "A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.", "cve_priority": "medium", "cve_public_date": "2025-07-22 15:15:00 UTC" }, { "cve": "CVE-2025-5318", "url": "https://ubuntu.com/security/CVE-2025-5318", "cve_description": "A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.", "cve_priority": "medium", "cve_public_date": "2025-06-24 14:15:00 UTC" }, { "cve": "CVE-2025-5351", "url": "https://ubuntu.com/security/CVE-2025-5351", "cve_description": "A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.", "cve_priority": "medium", "cve_public_date": "2025-07-04 09:15:00 UTC" }, { "cve": "CVE-2025-5372", "url": "https://ubuntu.com/security/CVE-2025-5372", "cve_description": "A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.", "cve_priority": "medium", "cve_public_date": "2025-07-04 06:15:00 UTC" }, { "cve": "CVE-2025-5987", "url": "https://ubuntu.com/security/CVE-2025-5987", "cve_description": "A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.", "cve_priority": "medium", "cve_public_date": "2025-07-07 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-4877", "url": "https://ubuntu.com/security/CVE-2025-4877", "cve_description": "Write beyond bounds in binary to base64 conversion functions", "cve_priority": "medium", "cve_public_date": "2025-06-25" }, { "cve": "CVE-2025-4878", "url": "https://ubuntu.com/security/CVE-2025-4878", "cve_description": "A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.", "cve_priority": "medium", "cve_public_date": "2025-07-22 15:15:00 UTC" }, { "cve": "CVE-2025-5318", "url": "https://ubuntu.com/security/CVE-2025-5318", "cve_description": "A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.", "cve_priority": "medium", "cve_public_date": "2025-06-24 14:15:00 UTC" }, { "cve": "CVE-2025-5351", "url": "https://ubuntu.com/security/CVE-2025-5351", "cve_description": "A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.", "cve_priority": "medium", "cve_public_date": "2025-07-04 09:15:00 UTC" }, { "cve": "CVE-2025-5372", "url": "https://ubuntu.com/security/CVE-2025-5372", "cve_description": "A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.", "cve_priority": "medium", "cve_public_date": "2025-07-04 06:15:00 UTC" }, { "cve": "CVE-2025-5987", "url": "https://ubuntu.com/security/CVE-2025-5987", "cve_description": "A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.", "cve_priority": "medium", "cve_public_date": "2025-07-07 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Write beyond bounds in binary to base64 conversion", " functions", " - debian/patches/CVE-2025-4877.patch: prevent integer overflow and", " potential OOB.", " - CVE-2025-4877", " * SECURITY UPDATE: Use of uninitialized variable in", " privatekey_from_file()", " - debian/patches/CVE-2025-4878-1.patch: initialize pointers where", " possible.", " - debian/patches/CVE-2025-4878-2.patch: properly check return value to", " avoid NULL pointer dereference.", " - CVE-2025-4878", " * SECURITY UPDATE: OOB read in sftp_handle function", " - debian/patches/CVE-2025-5318.patch: fix possible buffer overrun.", " - CVE-2025-5318", " * SECURITY UPDATE: Double free in functions exporting keys", " - debian/patches/CVE-2025-5351.patch: avoid double-free on low-memory", " conditions.", " - CVE-2025-5351", " * SECURITY UPDATE: ssh_kdf() returns a success code on certain failures", " - debian/patches/CVE-2025-5372-pre1.patch: Reformat ssh_kdf().", " - debian/patches/CVE-2025-5372.patch: simplify error checking and", " handling of return codes in ssh_kdf().", " - CVE-2025-5372", " * SECURITY UPDATE: Invalid return code for chacha20 poly1305 with OpenSSL", " backend", " - debian/patches/CVE-2025-5987.patch: correctly detect failures of", " chacha initialization.", " - CVE-2025-5987", " * SECURITY UPDATE: Missing packet filter may expose to variant of", " Terrapin attack", " - debian/patches/missing_packet_filter.patch: implement missing packet", " filter for DH GEX.", " - No CVE number", "" ], "package": "libssh", "version": "0.10.6-2ubuntu0.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 02 Jul 2025 13:58:28 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libuuid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-60.63", "version": "6.8.0-60.63" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-64.67", "version": "6.8.0-64.67" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-64.67", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", "" ], "package": "linux-meta", "version": "6.8.0-64.67", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Sun, 15 Jun 2025 10:57:09 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-62.65", "" ], "package": "linux-meta", "version": "6.8.0-62.65", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Mon, 19 May 2025 17:53:20 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "mount", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.1", "version": "1.1.2-2~ubuntu24.04.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.2", "version": "1.1.2-2~ubuntu24.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083029, 2083029 ], "changes": [ { "cves": [], "log": [ "", " * Add integration tests for `netplan try`", " - d/p/lp2083029/0007-tests-integration-netplan-try.patch", " * Fix networkd file permissions during `netplan try` restore (LP: #2083029)", " - d/p/lp2083029/0008-cli-ConfigManager-must-copy-file-ownership.patch", " * Prevent netplan-generate from running during `netplan try` (LP: #2083029)", " - d/p/lp2083029/0009-generate-Don-t-run-during-netplan-try.patch", "" ], "package": "netplan.io", "version": "1.1.2-2~ubuntu24.04.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083029, 2083029 ], "author": "Wesley Hershberger ", "date": "Thu, 17 Apr 2025 10:46:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.1", "version": "1.1.2-2~ubuntu24.04.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.2", "version": "1.1.2-2~ubuntu24.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083029, 2083029 ], "changes": [ { "cves": [], "log": [ "", " * Add integration tests for `netplan try`", " - d/p/lp2083029/0007-tests-integration-netplan-try.patch", " * Fix networkd file permissions during `netplan try` restore (LP: #2083029)", " - d/p/lp2083029/0008-cli-ConfigManager-must-copy-file-ownership.patch", " * Prevent netplan-generate from running during `netplan try` (LP: #2083029)", " - d/p/lp2083029/0009-generate-Don-t-run-during-netplan-try.patch", "" ], "package": "netplan.io", "version": "1.1.2-2~ubuntu24.04.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083029, 2083029 ], "author": "Wesley Hershberger ", "date": "Thu, 17 Apr 2025 10:46:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.12", "version": "1:9.6p1-3ubuntu13.12" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.13", "version": "1:9.6p1-3ubuntu13.13" }, "cves": [], "launchpad_bugs_fixed": [ 2080216 ], "changes": [ { "cves": [], "log": [ "", " * Explicitly listen on IPv4 by default, with socket-activated sshd", " (LP: #2080216)", " - d/systemd/ssh.socket: explicitly listen on ipv4 by default", " - d/t/sshd-socket-generator: update for new defaults and AddressFamily", " - sshd-socket-generator: handle new ssh.socket default settings", "" ], "package": "openssh", "version": "1:9.6p1-3ubuntu13.13", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2080216 ], "author": "Nick Rosbrook ", "date": "Mon, 09 Jun 2025 13:22:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.12", "version": "1:9.6p1-3ubuntu13.12" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.13", "version": "1:9.6p1-3ubuntu13.13" }, "cves": [], "launchpad_bugs_fixed": [ 2080216 ], "changes": [ { "cves": [], "log": [ "", " * Explicitly listen on IPv4 by default, with socket-activated sshd", " (LP: #2080216)", " - d/systemd/ssh.socket: explicitly listen on ipv4 by default", " - d/t/sshd-socket-generator: update for new defaults and AddressFamily", " - sshd-socket-generator: handle new ssh.socket default settings", "" ], "package": "openssh", "version": "1:9.6p1-3ubuntu13.13", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2080216 ], "author": "Nick Rosbrook ", "date": "Mon, 09 Jun 2025 13:22:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.12", "version": "1:9.6p1-3ubuntu13.12" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.6p1-3ubuntu13.13", "version": "1:9.6p1-3ubuntu13.13" }, "cves": [], "launchpad_bugs_fixed": [ 2080216 ], "changes": [ { "cves": [], "log": [ "", " * Explicitly listen on IPv4 by default, with socket-activated sshd", " (LP: #2080216)", " - d/systemd/ssh.socket: explicitly listen on ipv4 by default", " - d/t/sshd-socket-generator: update for new defaults and AddressFamily", " - sshd-socket-generator: handle new ssh.socket default settings", "" ], "package": "openssh", "version": "1:9.6p1-3ubuntu13.13", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2080216 ], "author": "Nick Rosbrook ", "date": "Mon, 09 Jun 2025 13:22:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.7", "version": "2.28.1-0ubuntu3.7" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.8", "version": "2.28.1-0ubuntu3.8" }, "cves": [], "launchpad_bugs_fixed": [ 2112466 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: exception during core dump handling (LP: #2112466)", " - d/p/apport-Do-not-hide-FileNotFoundError-during-crash-handlin.patch:", " Do not hide FileNotFoundError during crash handling.", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2112466 ], "author": "Octavio Galland ", "date": "Tue, 08 Jul 2025 11:50:50 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.1", "version": "1.1.2-2~ubuntu24.04.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2~ubuntu24.04.2", "version": "1.1.2-2~ubuntu24.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083029, 2083029 ], "changes": [ { "cves": [], "log": [ "", " * Add integration tests for `netplan try`", " - d/p/lp2083029/0007-tests-integration-netplan-try.patch", " * Fix networkd file permissions during `netplan try` restore (LP: #2083029)", " - d/p/lp2083029/0008-cli-ConfigManager-must-copy-file-ownership.patch", " * Prevent netplan-generate from running during `netplan try` (LP: #2083029)", " - d/p/lp2083029/0009-generate-Don-t-run-during-netplan-try.patch", "" ], "package": "netplan.io", "version": "1.1.2-2~ubuntu24.04.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083029, 2083029 ], "author": "Wesley Hershberger ", "date": "Thu, 17 Apr 2025 10:46:08 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-problem-report", "from_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.7", "version": "2.28.1-0ubuntu3.7" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.8", "version": "2.28.1-0ubuntu3.8" }, "cves": [], "launchpad_bugs_fixed": [ 2112466 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: exception during core dump handling (LP: #2112466)", " - d/p/apport-Do-not-hide-FileNotFoundError-during-crash-handlin.patch:", " Do not hide FileNotFoundError during crash handling.", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2112466 ], "author": "Octavio Galland ", "date": "Tue, 08 Jul 2025 11:50:50 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.1", "version": "2.0.7-1ubuntu0.1" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.2", "version": "2.0.7-1ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-50181", "url": "https://ubuntu.com/security/CVE-2025-50181", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.", "cve_priority": "medium", "cve_public_date": "2025-06-19 01:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-50181", "url": "https://ubuntu.com/security/CVE-2025-50181", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.", "cve_priority": "medium", "cve_public_date": "2025-06-19 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Information disclosure through improperly disabled", " redirects.", " - debian/patches/CVE-2025-50181.patch: Add \"retries\" check and set retries", " to Retry.from_int(retries, redirect=False) as well as set", " raise_on_redirect in ./src/urllib3/poolmanager.py.", " - CVE-2025-50181", "" ], "package": "python-urllib3", "version": "2.0.7-1ubuntu0.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 23 Jun 2025 16:34:35 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.6", "version": "3.12.3-1ubuntu0.6" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.7", "version": "3.12.3-1ubuntu0.7" }, "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper", " tar filtering.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in", " ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter", " to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and", " unfiltered to ./Lib/tarfile.py. Modify tests.", " - CVE-2024-12718", " - CVE-2025-4138", " - CVE-2025-4330", " - CVE-2025-4435", " - CVE-2025-4517", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 18 Jun 2025 15:29:45 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.6", "version": "3.12.3-1ubuntu0.6" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.7", "version": "3.12.3-1ubuntu0.7" }, "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-12718", "url": "https://ubuntu.com/security/CVE-2024-12718", "cve_description": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\" or file permissions (chmod) with filter=\"tar\" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4138", "url": "https://ubuntu.com/security/CVE-2025-4138", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4330", "url": "https://ubuntu.com/security/CVE-2025-4330", "cve_description": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4435", "url": "https://ubuntu.com/security/CVE-2025-4435", "cve_description": "When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" }, { "cve": "CVE-2025-4517", "url": "https://ubuntu.com/security/CVE-2025-4517", "cve_description": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of \"data\" or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.", "cve_priority": "medium", "cve_public_date": "2025-06-03 13:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper", " tar filtering.", " - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in", " ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter", " to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and", " unfiltered to ./Lib/tarfile.py. Modify tests.", " - CVE-2024-12718", " - CVE-2025-4138", " - CVE-2025-4330", " - CVE-2025-4435", " - CVE-2025-4517", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 18 Jun 2025 15:29:45 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "sudo", "from_version": { "source_package_name": "sudo", "source_package_version": "1.9.15p5-3ubuntu5", "version": "1.9.15p5-3ubuntu5" }, "to_version": { "source_package_name": "sudo", "source_package_version": "1.9.15p5-3ubuntu5.24.04.1", "version": "1.9.15p5-3ubuntu5.24.04.1" }, "cves": [ { "cve": "CVE-2025-32462", "url": "https://ubuntu.com/security/CVE-2025-32462", "cve_description": "Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.", "cve_priority": "high", "cve_public_date": "2025-06-30 21:15:00 UTC" }, { "cve": "CVE-2025-32463", "url": "https://ubuntu.com/security/CVE-2025-32463", "cve_description": "Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.", "cve_priority": "high", "cve_public_date": "2025-06-30 21:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-32462", "url": "https://ubuntu.com/security/CVE-2025-32462", "cve_description": "Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.", "cve_priority": "high", "cve_public_date": "2025-06-30 21:15:00 UTC" }, { "cve": "CVE-2025-32463", "url": "https://ubuntu.com/security/CVE-2025-32463", "cve_description": "Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.", "cve_priority": "high", "cve_public_date": "2025-06-30 21:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Local Privilege Escalation via host option", " - debian/patches/CVE-2025-32462.patch: only allow specifying a host", " when listing privileges.", " - CVE-2025-32462", " * SECURITY UPDATE: Local Privilege Escalation via chroot option", " - debian/patches/CVE-2025-32463.patch: remove user-selected root", " directory chroot option.", " - CVE-2025-32463", "" ], "package": "sudo", "version": "1.9.15p5-3ubuntu5.24.04.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 25 Jun 2025 08:42:53 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-dev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "35.1ubuntu0~24.04", "version": "35.1ubuntu0~24.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "36ubuntu0~24.04", "version": "36ubuntu0~24.04" }, "cves": [], "launchpad_bugs_fixed": [ 2112382, 2112382, 2111610 ], "changes": [ { "cves": [], "log": [ "", " * Backport 36ubuntu0 to noble (LP: #2112382)", "" ], "package": "ubuntu-advantage-tools", "version": "36ubuntu0~24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2112382 ], "author": "Renan Rodrigo ", "date": "Tue, 24 Jun 2025 09:20:12 -0300" }, { "cves": [], "log": [ "", " * d/apparmor/ubuntu_pro_esm_cache.jinja2: use openssl abstraction in the", " apparmor profile", " * New upstream release 36: (LP: #2112382)", " - api: display all available valid CVEs", " - attach: relax the onlySeries directive, so users can attach onlySeries", " tokens to all releases older than the target release", " - cli:", " + anbox-cloud: update installation instructions", " + collect-logs: do not overwrite the output file if it exists", " + cve/cves:", " * return all affected packages for a cve (LP: #2111610)", " * handle the case where the vulnerability data doesn't exist for the", " Ubuntu release", " - fips:", " + enable --access-only for all fips related services (GH: #3441)", " + allow enablement even when the -updates pocket is not available in the", " system (GH: #3439)", "" ], "package": "ubuntu-advantage-tools", "version": "36ubuntu0", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2112382, 2111610 ], "author": "Renan Rodrigo ", "date": "Fri, 06 Jun 2025 11:08:26 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.8", "version": "255.4-1ubuntu8.8" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.10", "version": "255.4-1ubuntu8.10" }, "cves": [], "launchpad_bugs_fixed": [ 2098183 ], "changes": [ { "cves": [], "log": [ "", " * Fix regression in networkctl caused by previous upload:", " A regression was introduced due to an incorrect manager reference being passed to", " manager_get_route_table_to_string() within route_append_json(), resulting in an", " error when executing the `networkctl --json=pretty` command.", " > networkctl --json=pretty", " Failed to get description: Message recipient disconnected from message bus without replying", "" ], "package": "systemd", "version": "255.4-1ubuntu8.10", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Chengen Du ", "date": "Wed, 02 Jul 2025 10:04:32 -0400" }, { "cves": [], "log": [ "", " * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set", " (LP: #2098183)", " - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch", " - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch", " - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch", " - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch", " - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch", " - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch", " - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch", " - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch", " - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch", " - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch", " - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch", " - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch", " - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch", "" ], "package": "systemd", "version": "255.4-1ubuntu8.9", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2098183 ], "author": "Chengen Du ", "date": "Mon, 09 Jun 2025 13:44:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.2", "version": "2.39.3-9ubuntu6.2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "cves": [], "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/ubuntu/lp-2111723-0001-lscpu-New-Arm-Cortex-part-", " numbers.patch: [PATCH 1/4] lscpu: New Arm Cortex part numbers.", " Thanks to Jeremy Linton . Closes LP:", " #2111723.", " * debian/patches/ubuntu/lp-2111723-0002-lscpu-use-CPU-types-de-", " duplication.patch: [PATCH 2/4] lscpu: use CPU types de-duplication.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0003-tests-update-lscpu-vmware_fpe-", " output.patch: [PATCH 3/4] tests: update lscpu vmware_fpe output.", " Thanks to Karel Zak . Closes LP: #2111723.", " * debian/patches/ubuntu/lp-2111723-0004-tests-add-dump-from-ARM-with-", " A510-A710-A715-X3.patch: [PATCH 4/4] tests: add dump from ARM with", " A510+A710+A715+X3. Thanks to Karel Zak . Closes", " LP: #2111723.", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2111723, 2111723, 2111723, 2111723 ], "author": "Andreas Glinserer ", "date": "Thu, 05 Jun 2025 14:17:38 +0200" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.8.0-64-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-60.63", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-64.67", "version": "6.8.0-64.67" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-64.67", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-64.67", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Sun, 15 Jun 2025 10:57:40 +0300" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-62.65", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-62.65", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Stefan Bader ", "date": "Mon, 19 May 2025 17:52:56 +0200" } ], "notes": "linux-image-6.8.0-64-generic version '6.8.0-64.67' (source package linux-signed version '6.8.0-64.67') was added. linux-image-6.8.0-64-generic version '6.8.0-64.67' has the same source package name, linux-signed, as removed package linux-image-6.8.0-60-generic. As such we can use the source package version of the removed package, '6.8.0-60.63', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-64-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-60.63", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-64.67", "version": "6.8.0-64.67" }, "cves": [ { "cve": "CVE-2025-37946", "url": "https://ubuntu.com/security/CVE-2025-37946", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 (\"s390/pci: introduce lock to synchronize state of zpci_dev's\") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put().", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37974", "url": "https://ubuntu.com/security/CVE-2025-37974", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix missing check for zpci_create_device() error return The zpci_create_device() function returns an error pointer that needs to be checked before dereferencing it as a struct zpci_dev pointer. Add the missing check in __clp_add() where it was missed when adding the scan_list in the fixed commit. Simply not adding the device to the scan list results in the previous behavior.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2024-56699", "url": "https://ubuntu.com/security/CVE-2024-56699", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix potential double remove of hotplug slot In commit 6ee600bfbe0f (\"s390/pci: remove hotplug slot when releasing the device\") the zpci_exit_slot() was moved from zpci_device_reserved() to zpci_release_device() with the intention of keeping the hotplug slot around until the device is actually removed. Now zpci_release_device() is only called once all references are dropped. Since the zPCI subsystem only drops its reference once the device is in the reserved state it follows that zpci_release_device() must only deal with devices in the reserved state. Despite that it contains code to tear down from both configured and standby state. For the standby case this already includes the removal of the hotplug slot so would cause a double removal if a device was ever removed in either configured or standby state. Instead of causing a potential double removal in a case that should never happen explicitly WARN_ON() if a device in non-reserved state is released and get rid of the dead code cases.", "cve_priority": "medium", "cve_public_date": "2024-12-28 10:15:00 UTC" }, { "cve": "CVE-2025-37750", "url": "https://ubuntu.com/security/CVE-2025-37750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in decryption with multichannel After commit f7025d861694 (\"smb: client: allocate crypto only for primary server\") and commit b0abcd65ec54 (\"smb: client: fix UAF in async decryption\"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption. This fixes the following KASAN splat when running fstest generic/249 with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows Server 2022: BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110 Read of size 8 at addr ffff8881046c18a0 by task cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: dump_stack_lvl+0x5d/0x80 print_report+0x156/0x528 ? gf128mul_4k_lle+0xba/0x110 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? gf128mul_4k_lle+0xba/0x110 kasan_report+0xdf/0x1a0 ? gf128mul_4k_lle+0xba/0x110 gf128mul_4k_lle+0xba/0x110 ghash_update+0x189/0x210 shash_ahash_update+0x295/0x370 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_extract_iter_to_sg+0x10/0x10 ? ___kmalloc_large_node+0x10e/0x180 ? __asan_memset+0x23/0x50 crypto_ahash_update+0x3c/0xc0 gcm_hash_assoc_remain_continue+0x93/0xc0 crypt_message+0xe09/0xec0 [cifs] ? __pfx_crypt_message+0x10/0x10 [cifs] ? _raw_spin_unlock+0x23/0x40 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs] decrypt_raw_data+0x229/0x380 [cifs] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs] smb3_receive_transform+0x837/0xc80 [cifs] ? __pfx_smb3_receive_transform+0x10/0x10 [cifs] ? __pfx___might_resched+0x10/0x10 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs] cifs_demultiplex_thread+0x692/0x1570 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? rcu_lockdep_current_cpu_online+0x62/0xb0 ? find_held_lock+0x32/0x90 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xd/0xd0 ? trace_irq_enable.constprop.0+0xa8/0xe0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x60 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-40364", "url": "https://ubuntu.com/security/CVE-2025-40364", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix io_req_prep_async with provided buffers io_req_prep_async() can import provided buffers, commit the ring state by giving up on that before, it'll be reimported later if needed.", "cve_priority": "medium", "cve_public_date": "2025-04-18 14:15:00 UTC" }, { "cve": "CVE-2024-49887", "url": "https://ubuntu.com/security/CVE-2024-49887", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to don't panic system for no free segment fault injection f2fs: fix to don't panic system for no free segment fault injection syzbot reports a f2fs bug as below: F2FS-fs (loop0): inject no free segment in get_new_segment of __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167 F2FS-fs (loop0): Stopped filesystem due to reason: 7 ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2748! CPU: 0 UID: 0 PID: 5109 Comm: syz-executor304 Not tainted 6.11.0-rc6-syzkaller-00363-g89f5e14d05b4 #0 RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline] RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836 Call Trace: __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167 f2fs_allocate_new_section fs/f2fs/segment.c:3181 [inline] f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3195 f2fs_expand_inode_data+0x5d6/0xbb0 fs/f2fs/file.c:1799 f2fs_fallocate+0x448/0x960 fs/f2fs/file.c:1903 vfs_fallocate+0x553/0x6c0 fs/open.c:334 do_vfs_ioctl+0x2592/0x2e50 fs/ioctl.c:886 __do_sys_ioctl fs/ioctl.c:905 [inline] __se_sys_ioctl+0x81/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline] RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836 The root cause is when we inject no free segment fault into f2fs, we should not panic system, fix it.", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" }, { "cve": "CVE-2024-57975", "url": "https://ubuntu.com/security/CVE-2024-57975", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do proper folio cleanup when run_delalloc_nocow() failed [BUG] With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash with the following VM_BUG_ON_FOLIO(): BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28 BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28 page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664 aops:btrfs_aops [btrfs] ino:101 dentry name(?):\"f1774\" flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff) page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio)) ------------[ cut here ]------------ kernel BUG at mm/page-writeback.c:2992! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : folio_clear_dirty_for_io+0x128/0x258 lr : folio_clear_dirty_for_io+0x128/0x258 Call trace: folio_clear_dirty_for_io+0x128/0x258 btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs] __process_folios_contig+0x154/0x268 [btrfs] extent_clear_unlock_delalloc+0x5c/0x80 [btrfs] run_delalloc_nocow+0x5f8/0x760 [btrfs] btrfs_run_delalloc_range+0xa8/0x220 [btrfs] writepage_delalloc+0x230/0x4c8 [btrfs] extent_writepage+0xb8/0x358 [btrfs] extent_write_cache_pages+0x21c/0x4e8 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x178/0x3a8 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] The first two lines of extra debug messages show the problem is caused by the error handling of run_delalloc_nocow(). E.g. we have the following dirtied range (4K blocksize 4K page size): 0 16K 32K |//////////////////////////////////////| | Pre-allocated | And the range [0, 16K) has a preallocated extent. - Enter run_delalloc_nocow() for range [0, 16K) Which found range [0, 16K) is preallocated, can do the proper NOCOW write. - Enter fallback_to_fow() for range [16K, 32K) Since the range [16K, 32K) is not backed by preallocated extent, we have to go COW. - cow_file_range() failed for range [16K, 32K) So cow_file_range() will do the clean up by clearing folio dirty, unlock the folios. Now the folios in range [16K, 32K) is unlocked. - Enter extent_clear_unlock_delalloc() from run_delalloc_nocow() Which is called with PAGE_START_WRITEBACK to start page writeback. But folios can only be marked writeback when it's properly locked, thus this triggered the VM_BUG_ON_FOLIO(). Furthermore there is another hidden but common bug that run_delalloc_nocow() is not clearing the folio dirty flags in its error handling path. This is the common bug shared between run_delalloc_nocow() and cow_file_range(). [FIX] - Clear folio dirty for range [@start, @cur_offset) Introduce a helper, cleanup_dirty_folios(), which will find and lock the folio in the range, clear the dirty flag and start/end the writeback, with the extra handling for the @locked_folio. - Introduce a helper to clear folio dirty, start and end writeback - Introduce a helper to record the last failed COW range end This is to trace which range we should skip, to avoid double unlocking. - Skip the failed COW range for the e ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21714", "url": "https://ubuntu.com/security/CVE-2025-21714", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are destroying this specific mr. Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and trace below. refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130 Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib] RIP: 0010:refcount_warn_saturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? refcount_warn_saturate+0x12b/0x130 free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib] process_one_work+0x1cc/0x3c0 worker_thread+0x218/0x3c0 kthread+0xc6/0xf0 ret_from_fork+0x1f/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21801", "url": "https://ubuntu.com/security/CVE-2025-21801", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ravb: Fix missing rtnl lock in suspend/resume path Fix the suspend/resume path by ensuring the rtnl lock is held where required. Calls to ravb_open, ravb_close and wol operations must be performed under the rtnl lock to prevent conflicts with ongoing ndo operations. Without this fix, the following warning is triggered: [ 39.032969] ============================= [ 39.032983] WARNING: suspicious RCU usage [ 39.033019] ----------------------------- [ 39.033033] drivers/net/phy/phy_device.c:2004 suspicious rcu_dereference_protected() usage! ... [ 39.033597] stack backtrace: [ 39.033613] CPU: 0 UID: 0 PID: 174 Comm: python3 Not tainted 6.13.0-rc7-next-20250116-arm64-renesas-00002-g35245dfdc62c #7 [ 39.033623] Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) [ 39.033628] Call trace: [ 39.033633] show_stack+0x14/0x1c (C) [ 39.033652] dump_stack_lvl+0xb4/0xc4 [ 39.033664] dump_stack+0x14/0x1c [ 39.033671] lockdep_rcu_suspicious+0x16c/0x22c [ 39.033682] phy_detach+0x160/0x190 [ 39.033694] phy_disconnect+0x40/0x54 [ 39.033703] ravb_close+0x6c/0x1cc [ 39.033714] ravb_suspend+0x48/0x120 [ 39.033721] dpm_run_callback+0x4c/0x14c [ 39.033731] device_suspend+0x11c/0x4dc [ 39.033740] dpm_suspend+0xdc/0x214 [ 39.033748] dpm_suspend_start+0x48/0x60 [ 39.033758] suspend_devices_and_enter+0x124/0x574 [ 39.033769] pm_suspend+0x1ac/0x274 [ 39.033778] state_store+0x88/0x124 [ 39.033788] kobj_attr_store+0x14/0x24 [ 39.033798] sysfs_kf_write+0x48/0x6c [ 39.033808] kernfs_fop_write_iter+0x118/0x1a8 [ 39.033817] vfs_write+0x27c/0x378 [ 39.033825] ksys_write+0x64/0xf4 [ 39.033833] __arm64_sys_write+0x18/0x20 [ 39.033841] invoke_syscall+0x44/0x104 [ 39.033852] el0_svc_common.constprop.0+0xb4/0xd4 [ 39.033862] do_el0_svc+0x18/0x20 [ 39.033870] el0_svc+0x3c/0xf0 [ 39.033880] el0t_64_sync_handler+0xc0/0xc4 [ 39.033888] el0t_64_sync+0x154/0x158 [ 39.041274] ravb 11c30000.ethernet eth0: Link is Down", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21809", "url": "https://ubuntu.com/security/CVE-2025-21809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix peer hash locking vs RCU callback In its address list, afs now retains pointers to and refs on one or more rxrpc_peer objects. The address list is freed under RCU and at this time, it puts the refs on those peers. Now, when an rxrpc_peer object runs out of refs, it gets removed from the peer hash table and, for that, rxrpc has to take a spinlock. However, it is now being called from afs's RCU cleanup, which takes place in BH context - but it is just taking an ordinary spinlock. The put may also be called from non-BH context, and so there exists the possibility of deadlock if the BH-based RCU cleanup happens whilst the hash spinlock is held. This led to the attached lockdep complaint. Fix this by changing spinlocks of rxnet->peer_hash_lock back to BH-disabling locks. ================================ WARNING: inconsistent lock state 6.13.0-rc5-build2+ #1223 Tainted: G E -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. swapper/1/0 [HC0[0]:SC1[1]:HE1:SE0] takes: ffff88810babe228 (&rxnet->peer_hash_lock){+.?.}-{3:3}, at: rxrpc_put_peer+0xcb/0x180 {SOFTIRQ-ON-W} state was registered at: mark_usage+0x164/0x180 __lock_acquire+0x544/0x990 lock_acquire.part.0+0x103/0x280 _raw_spin_lock+0x2f/0x40 rxrpc_peer_keepalive_worker+0x144/0x440 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x19b/0x1b0 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 irq event stamp: 972402 hardirqs last enabled at (972402): [] _raw_spin_unlock_irqrestore+0x2e/0x50 hardirqs last disabled at (972401): [] _raw_spin_lock_irqsave+0x18/0x60 softirqs last enabled at (972300): [] handle_softirqs+0x3ee/0x430 softirqs last disabled at (972313): [] __irq_exit_rcu+0x44/0x110 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rxnet->peer_hash_lock); lock(&rxnet->peer_hash_lock); *** DEADLOCK *** 1 lock held by swapper/1/0: #0: ffffffff83576be0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire+0x7/0x30 stack backtrace: CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G E 6.13.0-rc5-build2+ #1223 Tainted: [E]=UNSIGNED_MODULE Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: dump_stack_lvl+0x57/0x80 print_usage_bug.part.0+0x227/0x240 valid_state+0x53/0x70 mark_lock_irq+0xa5/0x2f0 mark_lock+0xf7/0x170 mark_usage+0xe1/0x180 __lock_acquire+0x544/0x990 lock_acquire.part.0+0x103/0x280 _raw_spin_lock+0x2f/0x40 rxrpc_put_peer+0xcb/0x180 afs_free_addrlist+0x46/0x90 [kafs] rcu_do_batch+0x2d2/0x640 rcu_core+0x2f7/0x350 handle_softirqs+0x1ee/0x430 __irq_exit_rcu+0x44/0x110 irq_exit_rcu+0xa/0x30 sysvec_apic_timer_interrupt+0x7f/0xa0 ", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2024-58057", "url": "https://ubuntu.com/security/CVE-2024-58057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: convert workqueues to unbound When a workqueue is created with `WQ_UNBOUND`, its work items are served by special worker-pools, whose host workers are not bound to any specific CPU. In the default configuration (i.e. when `queue_delayed_work` and friends do not specify which CPU to run the work item on), `WQ_UNBOUND` allows the work item to be executed on any CPU in the same node of the CPU it was enqueued on. While this solution potentially sacrifices locality, it avoids contention with other processes that might dominate the CPU time of the processor the work item was scheduled on. This is not just a theoretical problem: in a particular scenario misconfigured process was hogging most of the time from CPU0, leaving less than 0.5% of its CPU time to the kworker. The IDPF workqueues that were using the kworker on CPU0 suffered large completion delays as a result, causing performance degradation, timeouts and eventual system crash. * I have also run a manual test to gauge the performance improvement. The test consists of an antagonist process (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This process is run under `taskset 01` to bind it to CPU0, and its priority is changed with `chrt -pQ 9900 10000 ${pid}` and `renice -n -20 ${pid}` after start. Then, the IDPF driver is forced to prefer CPU0 by editing all calls to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0. Finally, `ktraces` for the workqueue events are collected. Without the current patch, the antagonist process can force arbitrary delays between `workqueue_queue_work` and `workqueue_execute_start`, that in my tests were as high as `30ms`. With the current patch applied, the workqueue can be migrated to another unloaded CPU in the same node, and, keeping everything else equal, the maximum delay I could see was `6us`.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57953", "url": "https://ubuntu.com/security/CVE-2024-57953", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtc: tps6594: Fix integer overflow on 32bit systems The problem is this multiply in tps6594_rtc_set_offset() \ttmp = offset * TICKS_PER_HOUR; The \"tmp\" variable is an s64 but \"offset\" is a long in the (-277774)-277774 range. On 32bit systems a long can hold numbers up to approximately two billion. The number of TICKS_PER_HOUR is really large, (32768 * 3600) or roughly a hundred million. When you start multiplying by a hundred million it doesn't take long to overflow the two billion mark. Probably the safest way to fix this is to change the type of TICKS_PER_HOUR to long long because it's such a large number.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57982", "url": "https://ubuntu.com/security/CVE-2024-57982", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21721", "url": "https://ubuntu.com/security/CVE-2025-21721", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: handle errors that nilfs_prepare_chunk() may return Patch series \"nilfs2: fix issues with rename operations\". This series fixes BUG_ON check failures reported by syzbot around rename operations, and a minor behavioral issue where the mtime of a child directory changes when it is renamed instead of moved. This patch (of 2): The directory manipulation routines nilfs_set_link() and nilfs_delete_entry() rewrite the directory entry in the folio/page previously read by nilfs_find_entry(), so error handling is omitted on the assumption that nilfs_prepare_chunk(), which prepares the buffer for rewriting, will always succeed for these. And if an error is returned, it triggers the legacy BUG_ON() checks in each routine. This assumption is wrong, as proven by syzbot: the buffer layer called by nilfs_prepare_chunk() may call nilfs_get_block() if necessary, which may fail due to metadata corruption or other reasons. This has been there all along, but improved sanity checks and error handling may have made it more reproducible in fuzzing tests. Fix this issue by adding missing error paths in nilfs_set_link(), nilfs_delete_entry(), and their caller nilfs_rename().", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21722", "url": "https://ubuntu.com/security/CVE-2025-21722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: do not force clear folio if buffer is referenced Patch series \"nilfs2: protect busy buffer heads from being force-cleared\". This series fixes the buffer head state inconsistency issues reported by syzbot that occurs when the filesystem is corrupted and falls back to read-only, and the associated buffer head use-after-free issue. This patch (of 2): Syzbot has reported that after nilfs2 detects filesystem corruption and falls back to read-only, inconsistencies in the buffer state may occur. One of the inconsistencies is that when nilfs2 calls mark_buffer_dirty() to set a data or metadata buffer as dirty, but it detects that the buffer is not in the uptodate state: WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520 fs/buffer.c:1177 ... Call Trace: nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598 nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73 nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344 nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdirat fs/namei.c:4295 [inline] __se_sys_mkdirat fs/namei.c:4293 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The other is when nilfs_btree_propagate(), which propagates the dirty state to the ancestor nodes of a b-tree that point to a dirty buffer, detects that the origin buffer is not dirty, even though it should be: WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089 nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089 ... Call Trace: nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345 nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587 nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006 nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline] nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115 nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline] nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Both of these issues are caused by the callbacks that handle the page/folio write requests, forcibly clear various states, including the working state of the buffers they hold, at unexpected times when they detect read-only fallback. Fix these issues by checking if the buffer is referenced before clearing the page/folio state, and skipping the clear if it is.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21798", "url": "https://ubuntu.com/security/CVE-2025-21798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firewire: test: Fix potential null dereference in firewire kunit test kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add a NULL check for test_state.", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21723", "url": "https://ubuntu.com/security/CVE-2025-21723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix possible crash when setting up bsg fails If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition \"if(!mrioc->bsg_queue)\" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash: BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace: mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr] mpi3mr_remove+0x6f/0x340 [mpi3mr] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19d/0x220 unbind_store+0xa4/0xb0 kernfs_fop_write_iter+0x11f/0x200 vfs_write+0x1fc/0x3e0 ksys_write+0x67/0xe0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21724", "url": "https://ubuntu.com/security/CVE-2025-21724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant \"1\" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant \"1\" defaults to a 32-bit \"int\", and when \"pgshift\" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to \"1UL\", promoting it to an unsigned long type to match the operand's type.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21825", "url": "https://ubuntu.com/security/CVE-2025-21825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT During the update procedure, when overwrite element in a pre-allocated htab, the freeing of old_element is protected by the bucket lock. The reason why the bucket lock is necessary is that the old_element has already been stashed in htab->extra_elems after alloc_htab_elem() returns. If freeing the old_element after the bucket lock is unlocked, the stashed element may be reused by concurrent update procedure and the freeing of old_element will run concurrently with the reuse of the old_element. However, the invocation of check_and_free_fields() may acquire a spin-lock which violates the lockdep rule because its caller has already held a raw-spin-lock (bucket lock). The following warning will be reported when such race happens: BUG: scheduling while atomic: test_progs/676/0x00000003 3 locks held by test_progs/676: #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830 #1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500 #2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0 Modules linked in: bpf_testmod(O) Preemption disabled at: [] htab_map_update_elem+0x293/0x1500 CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11 Tainted: [W]=WARN, [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)... Call Trace: dump_stack_lvl+0x57/0x70 dump_stack+0x10/0x20 __schedule_bug+0x120/0x170 __schedule+0x300c/0x4800 schedule_rtlock+0x37/0x60 rtlock_slowlock_locked+0x6d9/0x54c0 rt_spin_lock+0x168/0x230 hrtimer_cancel_wait_running+0xe9/0x1b0 hrtimer_cancel+0x24/0x30 bpf_timer_delete_work+0x1d/0x40 bpf_timer_cancel_and_free+0x5e/0x80 bpf_obj_free_fields+0x262/0x4a0 check_and_free_fields+0x1d0/0x280 htab_map_update_elem+0x7fc/0x1500 bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43 bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e bpf_prog_test_run_syscall+0x322/0x830 __sys_bpf+0x135d/0x3ca0 __x64_sys_bpf+0x75/0xb0 x64_sys_call+0x1b5/0xa10 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... It seems feasible to break the reuse and refill of per-cpu extra_elems into two independent parts: reuse the per-cpu extra_elems with bucket lock being held and refill the old_element as per-cpu extra_elems after the bucket lock is unlocked. However, it will make the concurrent overwrite procedures on the same CPU return unexpected -E2BIG error when the map is full. Therefore, the patch fixes the lock problem by breaking the cancelling of bpf_timer into two steps for PREEMPT_RT: 1) use hrtimer_try_to_cancel() and check its return value 2) if the timer is running, use hrtimer_cancel() through a kworker to cancel it again Considering that the current implementation of hrtimer_cancel() will try to acquire a being held softirq_expiry_lock when the current timer is running, these steps above are reasonable. However, it also has downside. When the timer is running, the cancelling of the timer is delayed when releasing the last map uref. The delay is also fixable (e.g., break the cancelling of bpf timer into two parts: one part in locked scope, another one in unlocked scope), it can be revised later if necessary. It is a bit hard to decide the right fix tag. One reason is that the problem depends on PREEMPT_RT which is enabled in v6.12. Considering the softirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced in v5.15, the bpf_timer commit is used in the fixes tag and an extra depends-on tag is added to state the dependency on PREEMPT_RT. Depends-on: v6.12+ with PREEMPT_RT enabled", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57990", "url": "https://ubuntu.com/security/CVE-2024-57990", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: fix off by one in mt7925_load_clc() This comparison should be >= instead of > to prevent an out of bounds read and write.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57974", "url": "https://ubuntu.com/security/CVE-2024-57974", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving datagrams, as a result of connect(), there is a period during which a lookup operation might fail to find it, after the address is changed but before the secondary hash (port and address) and the four-tuple hash (local and remote ports and addresses) are updated. Secondary hash chains were introduced by commit 30fff9231fad (\"udp: bind() optimisation\") and, as a result, a rehash operation became needed to make a bound socket reachable again after a connect(). This operation was introduced by commit 719f835853a9 (\"udp: add rehash on connect()\") which isn't however a complete fix: the socket will be found once the rehashing completes, but not while it's pending. This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a client sending datagrams to it. After the server receives the first datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to the address of the sender, in order to set up a directed flow. Now, if the client, running on a different CPU thread, happens to send a (subsequent) datagram while the server's socket changes its address, but is not rehashed yet, this will result in a failed lookup and a port unreachable error delivered to the client, as apparent from the following reproducer: LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4)) dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in while :; do \ttaskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & \tsleep 0.1 || sleep 1 \ttaskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null \twait done where the client will eventually get ECONNREFUSED on a write() (typically the second or third one of a given iteration): 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused This issue was first observed as a seldom failure in Podman's tests checking UDP functionality while using pasta(1) to connect the container's network namespace, which leads us to a reproducer with the lookup error resulting in an ICMP packet on a tap device: LOCAL_ADDR=\"$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == \"global\").local')\" while :; do \t./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & \tsleep 0.2 || sleep 1 \tsocat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null \twait \tcmp tmp.in tmp.out done Once this fails: tmp.in tmp.out differ: char 8193, line 29 we can finally have a look at what's going on: $ tshark -r pasta.pcap 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable) 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0 On the third datagram received, the network namespace of the container initiates an ARP lookup to deliver the ICMP message. In another variant of this reproducer, starting the client with: strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57994", "url": "https://ubuntu.com/security/CVE-2024-57994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page() to increase test coverage. syzbot found a splat caused by hard irq blocking in ptr_ring_resize_multiple() [1] As current users of ptr_ring_resize_multiple() do not require hard irqs being masked, replace it to only block BH. Rename helpers to better reflect they are safe against BH only. - ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh() - skb_array_resize_multiple() to skb_array_resize_multiple_bh() [1] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Modules linked in: CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline] RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85 RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083 RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843 RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040 R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline] ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline] tun_queue_resize drivers/net/tun.c:3694 [inline] tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024 do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923 rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57999", "url": "https://ubuntu.com/security/CVE-2024-57999", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW Power Hypervisor can possibily allocate MMIO window intersecting with Dynamic DMA Window (DDW) range, which is over 32-bit addressing. These MMIO pages needs to be marked as reserved so that IOMMU doesn't map DMA buffers in this range. The current code is not marking these pages correctly which is resulting in LPAR to OOPS while booting. The stack is at below BUG: Unable to handle kernel data access on read at 0xc00800005cd40000 Faulting instruction address: 0xc00000000005cdac Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod Supported: Yes, External CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries Workqueue: events work_for_cpu_fn NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000 REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default) MSR: 800000000280b033 CR: 24228448 XER: 00000001 CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800 GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000 GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000 GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800 GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8 GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800 NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100 LR [c00000000005e830] iommu_init_table+0x80/0x1e0 Call Trace: [c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable) [c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40 [c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230 [c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90 [c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80 [c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net] [c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110 [c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60 [c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620 [c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620 [c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150 [c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18 There are 2 issues in the code 1. The index is \"int\" while the address is \"unsigned long\". This results in negative value when setting the bitmap. 2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit address). MMIO address needs to be page shifted as well.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58054", "url": "https://ubuntu.com/security/CVE-2024-58054", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: media: max96712: fix kernel oops when removing module The following kernel oops is thrown when trying to remove the max96712 module: Unable to handle kernel paging request at virtual address 00007375746174db Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000 [00007375746174db] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2 imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse [last unloaded: imx8_isi] CPU: 0 UID: 0 PID: 754 Comm: rmmod \t Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17 Tainted: [C]=CRAP Hardware name: NXP i.MX95 19X19 board (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : led_put+0x1c/0x40 lr : v4l2_subdev_put_privacy_led+0x48/0x58 sp : ffff80008699bbb0 x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8 x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000 x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1 x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473 Call trace: led_put+0x1c/0x40 v4l2_subdev_put_privacy_led+0x48/0x58 v4l2_async_unregister_subdev+0x2c/0x1a4 max96712_remove+0x1c/0x38 [max96712] i2c_device_remove+0x2c/0x9c device_remove+0x4c/0x80 device_release_driver_internal+0x1cc/0x228 driver_detach+0x4c/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 i2c_del_driver+0x54/0x64 max96712_i2c_driver_exit+0x18/0x1d0 [max96712] __arm64_sys_delete_module+0x1a4/0x290 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xd8 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400) ---[ end trace 0000000000000000 ]--- This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata() is called again and the data is overwritten to point to sd, instead of priv. So, in remove(), the wrong pointer is passed to v4l2_async_unregister_subdev(), leading to a crash.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58055", "url": "https://ubuntu.com/security/CVE-2024-58055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Don't free command immediately Don't prematurely free the command. Wait for the status completion of the sense status. It can be freed then. Otherwise we will double-free the command.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57979", "url": "https://ubuntu.com/security/CVE-2024-57979", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 (\"pps: Fix a use-after free bug when unregistering a source.\"), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57980", "url": "https://ubuntu.com/security/CVE-2024-57980", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Reviewed by: Ricardo Ribalda ", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58056", "url": "https://ubuntu.com/security/CVE-2024-58056", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Fix ida_free call while not allocated In the rproc_alloc() function, on error, put_device(&rproc->dev) is called, leading to the call of the rproc_type_release() function. An error can occurs before ida_alloc is called. In such case in rproc_type_release(), the condition (rproc->index >= 0) is true as rproc->index has been initialized to 0. ida_free() is called reporting a warning: [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 [ 4.188854] ida_free called for id=0 which is not allocated. [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 [ 4.231481] Hardware name: STM32 (Device Tree Support) [ 4.236627] Workqueue: events_unbound deferred_probe_work_func [ 4.242504] Call trace: [ 4.242522] unwind_backtrace from show_stack+0x10/0x14 [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 [ 4.270565] ida_free from rproc_type_release+0x38/0x60 [ 4.275832] rproc_type_release from device_release+0x30/0xa0 [ 4.281601] device_release from kobject_put+0xc4/0x294 [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is properly set.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2025-21705", "url": "https://ubuntu.com/security/CVE-2025-21705", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21707", "url": "https://ubuntu.com/security/CVE-2025-21707", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: consolidate suboption status MPTCP maintains the received sub-options status is the bitmask carrying the received suboptions and in several bitfields carrying per suboption additional info. Zeroing the bitmask before parsing is not enough to ensure a consistent status, and the MPTCP code has to additionally clear some bitfiled depending on the actually parsed suboption. The above schema is fragile, and syzbot managed to trigger a path where a relevant bitfield is not cleared/initialized: BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline] BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline] BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline] BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 __mptcp_expand_seq net/mptcp/options.c:1030 [inline] mptcp_expand_seq net/mptcp/protocol.h:864 [inline] ack_update_msk net/mptcp/options.c:1060 [inline] mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233 tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264 tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916 tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core net/core/dev.c:5704 [inline] __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817 process_backlog+0x4ad/0xa50 net/core/dev.c:6149 __napi_poll+0xe7/0x980 net/core/dev.c:6902 napi_poll net/core/dev.c:6971 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236 __ip_finish_output+0x287/0x810 ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536 ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550 __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468 tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline] tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829 __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012 tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618 __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130 __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496 mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550 mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline] mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline] mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57981", "url": "https://ubuntu.com/security/CVE-2024-57981", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix NULL pointer dereference on certain command aborts If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21708", "url": "https://ubuntu.com/security/CVE-2025-21708", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: enable basic endpoint checking Syzkaller reports [1] encountering a common issue of utilizing a wrong usb endpoint type during URB submitting stage. This, in turn, triggers a warning shown below. For now, enable simple endpoint checking (specifically, bulk and interrupt eps, testing control one is not essential) to mitigate the issue with a view to do other related cosmetic changes later, if they are necessary. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv> Modules linked in: CPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Code: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8> RSP: 0018:ffffc9000441f740 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9 RDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 R13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c FS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733 __dev_open+0x2d4/0x4e0 net/core/dev.c:1474 __dev_change_flags+0x561/0x720 net/core/dev.c:8838 dev_change_flags+0x8f/0x160 net/core/dev.c:8910 devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177 inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003 sock_do_ioctl+0x116/0x280 net/socket.c:1222 sock_ioctl+0x22e/0x6c0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc04ef73d49 ... This change has not been tested on real hardware.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21826", "url": "https://ubuntu.com/security/CVE-2025-21826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject mismatching sum of field_len with set key length The field length description provides the length of each separated key field in the concatenation, each field gets rounded up to 32-bits to calculate the pipapo rule width from pipapo_init(). The set key length provides the total size of the key aligned to 32-bits. Register-based arithmetics still allows for combining mismatching set key length and field length description, eg. set key length 10 and field description [ 5, 4 ] leading to pipapo width of 12.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2025-21808", "url": "https://ubuntu.com/security/CVE-2025-21808", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadata. This means they can't work in generic XDP mode. However, there is no check to disallow such programs from being attached in generic mode, in which case the metadata kfuncs will be called in an invalid context, leading to crashes. Fix this by adding a check to disallow attaching device-bound programs in generic mode.", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21710", "url": "https://ubuntu.com/security/CVE-2025-21710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: correct handling of extreme memory squeeze Testing with iperf3 using the \"pasta\" protocol splicer has revealed a problem in the way tcp handles window advertising in extreme memory squeeze situations. Under memory pressure, a socket endpoint may temporarily advertise a zero-sized window, but this is not stored as part of the socket data. The reasoning behind this is that it is considered a temporary setting which shouldn't influence any further calculations. However, if we happen to stall at an unfortunate value of the current window size, the algorithm selecting a new value will consistently fail to advertise a non-zero window once we have freed up enough memory. This means that this side's notion of the current window size is different from the one last advertised to the peer, causing the latter to not send any data to resolve the sitution. The problem occurs on the iperf3 server side, and the socket in question is a completely regular socket with the default settings for the fedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket. The following excerpt of a logging session, with own comments added, shows more in detail what is happening: // tcp_v4_rcv(->) // tcp_rcv_established(->) [5201<->39222]: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ==== [5201<->39222]: tcp_data_queue(->) [5201<->39222]: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 259909392->260034360 (124968), unread 5565800, qlen 85, ofoq 0] [OFO queue: gap: 65480, len: 0] [5201<->39222]: tcp_data_queue(<-) [5201<->39222]: __tcp_transmit_skb(->) [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] [5201<->39222]: tcp_select_window(->) [5201<->39222]: (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_NOMEM) ? --> TRUE [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] returning 0 [5201<->39222]: tcp_select_window(<-) [5201<->39222]: ADVERTISING WIN 0, ACK_SEQ: 265600160 [5201<->39222]: [__tcp_transmit_skb(<-) [5201<->39222]: tcp_rcv_established(<-) [5201<->39222]: tcp_v4_rcv(<-) // Receive queue is at 85 buffers and we are out of memory. // We drop the incoming buffer, although it is in sequence, and decide // to send an advertisement with a window of zero. // We don't update tp->rcv_wnd and tp->rcv_wup accordingly, which means // we unconditionally shrink the window. [5201<->39222]: tcp_recvmsg_locked(->) [5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 [5201<->39222]: [new_win = 0, win_now = 131184, 2 * win_now = 262368] [5201<->39222]: [new_win >= (2 * win_now) ? --> time_to_ack = 0] [5201<->39222]: NOT calling tcp_send_ack() [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] [5201<->39222]: __tcp_cleanup_rbuf(<-) [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 260040464->260040464 (0), unread 5559696, qlen 85, ofoq 0] returning 6104 bytes [5201<->39222]: tcp_recvmsg_locked(<-) // After each read, the algorithm for calculating the new receive // window in __tcp_cleanup_rbuf() finds it is too small to advertise // or to update tp->rcv_wnd. // Meanwhile, the peer thinks the window is zero, and will not send // any more data to trigger an update from the interrupt mode side. [5201<->39222]: tcp_recvmsg_locked(->) [5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 [5201<->39222]: [new_win = 262144, win_now = 131184, 2 * win_n ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21715", "url": "https://ubuntu.com/security/CVE-2025-21715", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 (\"net: qcom/emac: fix UAF in emac_remove\"). This bug is detected by our static analysis tool.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21716", "url": "https://ubuntu.com/security/CVE-2025-21716", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix uninit-value in vxlan_vnifilter_dump() KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access. Fix this by returning an error in such situations. [1] BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786 netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317 __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432 netlink_dump_start include/linux/netlink.h:340 [inline] rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline] rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882 netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4110 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205 kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196 netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21718", "url": "https://ubuntu.com/security/CVE-2025-21718", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 ", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21719", "url": "https://ubuntu.com/security/CVE-2025-21719", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to \"struct sk_buff_head unresolved\", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21802", "url": "https://ubuntu.com/security/CVE-2025-21802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. To fixes it, introduce a new mutex to protect the unload process.", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2024-58058", "url": "https://ubuntu.com/security/CVE-2024-58058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ubifs: skip dumping tnc tree when zroot is null Clearing slab cache will free all znode in memory and make c->zroot.znode = NULL, then dumping tnc tree will access c->zroot.znode which cause null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58069", "url": "https://ubuntu.com/security/CVE-2024-58069", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read The nvmem interface supports variable buffer sizes, while the regmap interface operates with fixed-size storage. If an nvmem client uses a buffer size less than 4 bytes, regmap_read will write out of bounds as it expects the buffer to point at an unsigned int. Fix this by using an intermediary unsigned int to hold the value.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2025-21720", "url": "https://ubuntu.com/security/CVE-2025-21720", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: delete intermediate secpath entry in packet offload mode Packets handled by hardware have added secpath as a way to inform XFRM core code that this path was already handled. That secpath is not needed at all after policy is checked and it is removed later in the stack. However, in the case of IP forwarding is enabled (/proc/sys/net/ipv4/ip_forward), that secpath is not removed and packets which already were handled are reentered to the driver TX path with xfrm_offload set. The following kernel panic is observed in mlx5 in such case: mlx5_core 0000:04:00.0 enp4s0f0np0: Link up mlx5_core 0000:04:00.1 enp4s0f1np1: Link up Initializing XFRM netlink socket IPsec XFRM device driver BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 0010 [#1] PREEMPT SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc1-alex #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffb87380003800 EFLAGS: 00010206 RAX: ffff8df004e02600 RBX: ffffb873800038d8 RCX: 00000000ffff98cf RDX: ffff8df00733e108 RSI: ffff8df00521fb80 RDI: ffff8df001661f00 RBP: ffffb87380003850 R08: ffff8df013980000 R09: 0000000000000010 R10: 0000000000000002 R11: 0000000000000002 R12: ffff8df001661f00 R13: ffff8df00521fb80 R14: ffff8df00733e108 R15: ffff8df011faf04e FS: 0000000000000000(0000) GS:ffff8df46b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000106384000 CR4: 0000000000350ef0 Call Trace: ? show_regs+0x63/0x70 ? __die_body+0x20/0x60 ? __die+0x2b/0x40 ? page_fault_oops+0x15c/0x550 ? do_user_addr_fault+0x3ed/0x870 ? exc_page_fault+0x7f/0x190 ? asm_exc_page_fault+0x27/0x30 mlx5e_ipsec_handle_tx_skb+0xe7/0x2f0 [mlx5_core] mlx5e_xmit+0x58e/0x1980 [mlx5_core] ? __fib_lookup+0x6a/0xb0 dev_hard_start_xmit+0x82/0x1d0 sch_direct_xmit+0xfe/0x390 __dev_queue_xmit+0x6d8/0xee0 ? __fib_lookup+0x6a/0xb0 ? internal_add_timer+0x48/0x70 ? mod_timer+0xe2/0x2b0 neigh_resolve_output+0x115/0x1b0 __neigh_update+0x26a/0xc50 neigh_update+0x14/0x20 arp_process+0x2cb/0x8e0 ? __napi_build_skb+0x5e/0x70 arp_rcv+0x11e/0x1c0 ? dev_gro_receive+0x574/0x820 __netif_receive_skb_list_core+0x1cf/0x1f0 netif_receive_skb_list_internal+0x183/0x2a0 napi_complete_done+0x76/0x1c0 mlx5e_napi_poll+0x234/0x7a0 [mlx5_core] __napi_poll+0x2d/0x1f0 net_rx_action+0x1a6/0x370 ? atomic_notifier_call_chain+0x3b/0x50 ? irq_int_handler+0x15/0x20 [mlx5_core] handle_softirqs+0xb9/0x2f0 ? handle_irq_event+0x44/0x60 irq_exit_rcu+0xdb/0x100 common_interrupt+0x98/0xc0 asm_common_interrupt+0x27/0x40 RIP: 0010:pv_native_safe_halt+0xb/0x10 Code: 09 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 22 0f 1f 84 00 00 00 00 00 90 eb 07 0f 00 2d 7f e9 36 00 fb 40 00 83 ff 07 77 21 89 ff ff 24 fd 88 3d a1 bd 0f 21 f8 RSP: 0018:ffffffffbe603de8 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000f92f46680 RDX: 0000000000000037 RSI: 00000000ffffffff RDI: 00000000000518d4 RBP: ffffffffbe603df0 R08: 000000cd42e4dffb R09: ffffffffbe603d70 R10: 0000004d80d62680 R11: 0000000000000001 R12: ffffffffbe60bf40 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffbe60aff8 ? default_idle+0x9/0x20 arch_cpu_idle+0x9/0x10 default_idle_call+0x29/0xf0 do_idle+0x1f2/0x240 cpu_startup_entry+0x2c/0x30 rest_init+0xe7/0x100 start_kernel+0x76b/0xb90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xc0/0x110 ? setup_ghcb+0xe/0x130 common_startup_64+0x13e/0x141 Modules linked in: esp4_offload esp4 xfrm_interface xfrm6_tunnel tunnel4 tunnel6 xfrm_user xfrm_algo binf ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21803", "url": "https://ubuntu.com/security/CVE-2025-21803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix warnings during S3 suspend The enable_gpe_wakeup() function calls acpi_enable_all_wakeup_gpes(), and the later one may call the preempt_schedule_common() function, resulting in a thread switch and causing the CPU to be in an interrupt enabled state after the enable_gpe_wakeup() function returns, leading to the warnings as follow. [ C0] WARNING: ... at kernel/time/timekeeping.c:845 ktime_get+0xbc/0xc8 [ C0] ... [ C0] Call Trace: [ C0] [<90000000002243b4>] show_stack+0x64/0x188 [ C0] [<900000000164673c>] dump_stack_lvl+0x60/0x88 [ C0] [<90000000002687e4>] __warn+0x8c/0x148 [ C0] [<90000000015e9978>] report_bug+0x1c0/0x2b0 [ C0] [<90000000016478e4>] do_bp+0x204/0x3b8 [ C0] [<90000000025b1924>] exception_handlers+0x1924/0x10000 [ C0] [<9000000000343bbc>] ktime_get+0xbc/0xc8 [ C0] [<9000000000354c08>] tick_sched_timer+0x30/0xb0 [ C0] [<90000000003408e0>] __hrtimer_run_queues+0x160/0x378 [ C0] [<9000000000341f14>] hrtimer_interrupt+0x144/0x388 [ C0] [<9000000000228348>] constant_timer_interrupt+0x38/0x48 [ C0] [<90000000002feba4>] __handle_irq_event_percpu+0x64/0x1e8 [ C0] [<90000000002fed48>] handle_irq_event_percpu+0x20/0x80 [ C0] [<9000000000306b9c>] handle_percpu_irq+0x5c/0x98 [ C0] [<90000000002fd4a0>] generic_handle_domain_irq+0x30/0x48 [ C0] [<9000000000d0c7b0>] handle_cpu_irq+0x70/0xa8 [ C0] [<9000000001646b30>] handle_loongarch_irq+0x30/0x48 [ C0] [<9000000001646bc8>] do_vint+0x80/0xe0 [ C0] [<90000000002aea1c>] finish_task_switch.isra.0+0x8c/0x2a8 [ C0] [<900000000164e34c>] __schedule+0x314/0xa48 [ C0] [<900000000164ead8>] schedule+0x58/0xf0 [ C0] [<9000000000294a2c>] worker_thread+0x224/0x498 [ C0] [<900000000029d2f0>] kthread+0xf8/0x108 [ C0] [<9000000000221f28>] ret_from_kernel_thread+0xc/0xa4 [ C0] [ C0] ---[ end trace 0000000000000000 ]--- The root cause is acpi_enable_all_wakeup_gpes() uses a mutex to protect acpi_hw_enable_all_wakeup_gpes(), and acpi_ut_acquire_mutex() may cause a thread switch. Since there is no longer concurrent execution during loongarch_acpi_suspend(), we can call acpi_hw_enable_all_wakeup_gpes() directly in enable_gpe_wakeup(). The solution is similar to commit 22db06337f590d01 (\"ACPI: sleep: Avoid breaking S3 wakeup due to might_sleep()\").", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21810", "url": "https://ubuntu.com/security/CVE-2025-21810", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init|next|exit)(), as explained by below typical usage: // All members of @iter are wild pointers. struct class_dev_iter iter; // class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...); // Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... }; // Also dereference these wild pointers here. class_dev_iter_exit(&iter); Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next().", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21811", "url": "https://ubuntu.com/security/CVE-2025-21811", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect access to buffers with no active references nilfs_lookup_dirty_data_buffers(), which iterates through the buffers attached to dirty data folios/pages, accesses the attached buffers without locking the folios/pages. For data cache, nilfs_clear_folio_dirty() may be called asynchronously when the file system degenerates to read only, so nilfs_lookup_dirty_data_buffers() still has the potential to cause use after free issues when buffers lose the protection of their dirty state midway due to this asynchronous clearing and are unintentionally freed by try_to_free_buffers(). Eliminate this race issue by adjusting the lock section in this function.", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21804", "url": "https://ubuntu.com/security/CVE-2025-21804", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region() macro to request a needed resource. A string variable that lives on the stack is then used to store a dynamically computed resource name, which is then passed on as one of the macro arguments. This can lead to undefined behavior. Depending on the current contents of the memory, the manifestations of errors may vary. One possible output may be as follows: $ cat /proc/iomem 30000000-37ffffff : 38000000-3fffffff : Sometimes, garbage may appear after the colon. In very rare cases, if no NULL-terminator is found in memory, the system might crash because the string iterator will overrun which can lead to access of unmapped memory above the stack. Thus, fix this by replacing outbound_name with the name of the previously requested resource. With the changes applied, the output will be as follows: $ cat /proc/iomem 30000000-37ffffff : memory2 38000000-3fffffff : memory3 [kwilczynski: commit log]", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21829", "url": "https://ubuntu.com/security/CVE-2025-21829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the warning \"__rxe_cleanup+0x12c/0x170 [rdma_rxe]\" The Call Trace is as below: \" ? show_regs.cold+0x1a/0x1f ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __warn+0x84/0xd0 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? report_bug+0x105/0x180 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __rxe_cleanup+0x124/0x170 [rdma_rxe] rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe] ib_destroy_qp_user+0x118/0x190 [ib_core] rdma_destroy_qp.cold+0x43/0x5e [rdma_cm] rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core] rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server] process_one_work+0x21d/0x3f0 worker_thread+0x4a/0x3c0 ? process_one_work+0x3f0/0x3f0 kthread+0xf0/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 \" When too many rdma resources are allocated, rxe needs more time to handle these rdma resources. Sometimes with the current timeout, rxe can not release the rdma resources correctly. Compared with other rdma drivers, a bigger timeout is used.", "cve_priority": "medium", "cve_public_date": "2025-03-06 17:15:00 UTC" }, { "cve": "CVE-2024-57984", "url": "https://ubuntu.com/security/CVE-2024-57984", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition In dw_i3c_common_probe, &master->hj_work is bound with dw_i3c_hj_work. And dw_i3c_master_irq_handler can call dw_i3c_master_irq_handle_ibis function to start the work. If we remove the module which will call dw_i3c_common_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | dw_i3c_hj_work dw_i3c_common_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in dw_i3c_common_remove.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58034", "url": "https://ubuntu.com/security/CVE-2024-58034", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() As of_find_node_by_name() release the reference of the argument device node, tegra_emc_find_node_by_ram_code() releases some device nodes while still in use, resulting in possible UAFs. According to the bindings and the in-tree DTS files, the \"emc-tables\" node is always device's child node with the property \"nvidia,use-ram-code\", and the \"lpddr2\" node is a child of the \"emc-tables\" node. Thus utilize the for_each_child_of_node() macro and of_get_child_by_name() instead of of_find_node_by_name() to simplify the code. This bug was found by an experimental verification tool that I am developing. [krzysztof: applied v1, adjust the commit msg to incorporate v2 parts]", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2024-57973", "url": "https://ubuntu.com/security/CVE-2024-57973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32bit The \"gl->tot_len\" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the \"gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)\" addition could have an integer wrapping bug. Use size_add() to prevent this.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21725", "url": "https://ubuntu.com/security/CVE-2025-21725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to unset link speed It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48 89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8 e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 <48> f7 74 24 18 48 89 c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24 RSP: 0018:ffffc90001817be0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99 RDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228 RBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac R10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200 R13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58 FS: 00007fe27119e740(0000) GS:ffff888148600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0x159/0x1b0 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? do_error_trap+0x90/0x130 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? exc_divide_error+0x39/0x50 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? asm_exc_divide_error+0x1a/0x20 ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs] ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? seq_read_iter+0x42e/0x790 seq_read_iter+0x19a/0x790 proc_reg_read_iter+0xbe/0x110 ? __pfx_proc_reg_read_iter+0x10/0x10 vfs_read+0x469/0x570 ? do_user_addr_fault+0x398/0x760 ? __pfx_vfs_read+0x10/0x10 ? find_held_lock+0x8a/0xa0 ? __pfx_lock_release+0x10/0x10 ksys_read+0xd3/0x170 ? __pfx_ksys_read+0x10/0x10 ? __rcu_read_unlock+0x50/0x270 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe271288911 Code: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911 RDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003 RBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000 Fix this by setting cifs_server_iface::speed to a sane value (1Gbps) by default when link speed is unset.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21726", "url": "https://ubuntu.com/security/CVE-2025-21726", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request\t\t\tcrypto_request\t\tcrypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } \t\t\t\tpadata_do_serial \t\t\t\t // new request added \t\t\t\t list_add // sees the new request queue_work(reorder_work) \t\t\t\t padata_reorder \t\t\t\t queue_work_on(squeue->work) ... \t\t\t\t \t\t\t\tpadata_serial_worker \t\t\t\t// completes new request, \t\t\t\t// no more outstanding \t\t\t\t// requests \t\t\t\t\t\t\tcrypto_del_alg \t\t\t\t\t\t\t // free pd invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21727", "url": "https://ubuntu.com/security/CVE-2025-21727", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker\t\t\t\tcrypto_del_alg padata_put_pd_cnt // sub refcnt \t\t\t\t\t\tpadata_free_shell \t\t\t\t\t\tpadata_put_pd(ps->pd); \t\t\t\t\t\t// pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21728", "url": "https://ubuntu.com/security/CVE-2025-21728", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58070", "url": "https://ubuntu.com/security/CVE-2024-58070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT is enabled. [ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs [ 35.118569] preempt_count: 1, expected: 0 [ 35.118571] RCU nest depth: 1, expected: 1 [ 35.118577] INFO: lockdep is turned off. ... [ 35.118647] __might_resched+0x433/0x5b0 [ 35.118677] rt_spin_lock+0xc3/0x290 [ 35.118700] ___slab_alloc+0x72/0xc40 [ 35.118723] __kmalloc_noprof+0x13f/0x4e0 [ 35.118732] bpf_map_kzalloc+0xe5/0x220 [ 35.118740] bpf_selem_alloc+0x1d2/0x7b0 [ 35.118755] bpf_local_storage_update+0x2fa/0x8b0 [ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0 [ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66 [ 35.118795] bpf_trace_run3+0x222/0x400 [ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20 [ 35.118824] trace_inet_sock_set_state+0x112/0x130 [ 35.118830] inet_sk_state_store+0x41/0x90 [ 35.118836] tcp_set_state+0x3b3/0x640 There is no need to adjust the gfp_flags passing to the bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL. The verifier has ensured GFP_KERNEL is passed only in sleepable context. It has been an old issue since the first introduction of the bpf_local_storage ~5 years ago, so this patch targets the bpf-next. bpf_mem_alloc is needed to solve it, so the Fixes tag is set to the commit when bpf_mem_alloc was first used in the bpf_local_storage.", "cve_priority": "low", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2025-21711", "url": "https://ubuntu.com/security/CVE-2025-21711", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/rose: prevent integer overflows in rose_setsockopt() In case of possible unpredictably large arguments passed to rose_setsockopt() and multiplied by extra values on top of that, integer overflows may occur. Do the safest minimum and fix these issues by checking the contents of 'opt' and returning -EINVAL if they are too large. Also, switch to unsigned int and remove useless check for negative 'opt' in ROSE_IDLE case.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21799", "url": "https://ubuntu.com/security/CVE-2025-21799", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is valid. There is no issue at probe time but at runtime user can invoke .set_channels which results in the following call chain. am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns() At this point if am65_cpsw_nuss_init_tx_chns() fails due to k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a negative value. Then, at subsequent .set_channels with higher channel count we will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns() leading to a kernel warning. The issue is present in the original commit that introduced this driver, although there, am65_cpsw_nuss_update_tx_rx_chns() existed as am65_cpsw_nuss_update_tx_chns().", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21806", "url": "https://ubuntu.com/security/CVE-2025-21806", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \\ \treturned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \\ \tnext=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \\ \t__list_add_valid_or_report+0xf3/0x130 CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ RIP: 0010:__list_add_valid_or_report+0xf3/0x130 Call Trace: ? __warn+0xcd/0x250 ? __list_add_valid_or_report+0xf3/0x130 enqueue_to_backlog+0x923/0x1070 netif_rx_internal+0x92/0x2b0 __netif_rx+0x15/0x170 loopback_xmit+0x2ef/0x450 dev_hard_start_xmit+0x103/0x490 __dev_queue_xmit+0xeac/0x1950 ip_finish_output2+0x6cc/0x1620 ip_output+0x161/0x270 ip_push_pending_frames+0x155/0x1a0 raw_sendmsg+0xe13/0x1550 __sys_sendto+0x3bf/0x4e0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x5b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reproduction command is as follows: sysctl -w net.core.dev_weight=0 ping 127.0.0.1 This is because when the napi's weight is set to 0, process_backlog() may return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this napi to be re-polled in net_rx_action() until __do_softirq() times out. Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can be retriggered in enqueue_to_backlog(), causing this issue. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin (setting is not namespaced).", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21830", "url": "https://ubuntu.com/security/CVE-2025-21830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: landlock: Handle weird files A corrupted filesystem (e.g. bcachefs) might return weird files. Instead of throwing a warning and allowing access to such file, treat them as regular files.", "cve_priority": "medium", "cve_public_date": "2025-03-06 17:15:00 UTC" }, { "cve": "CVE-2025-21828", "url": "https://ubuntu.com/security/CVE-2025-21828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't flush non-uploaded STAs If STA state is pre-moved to AUTHORIZED (such as in IBSS scenarios) and insertion fails, the station is freed. In this case, the driver never knew about the station, so trying to flush it is unexpected and may crash. Check if the sta was uploaded to the driver before and fix this.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58061", "url": "https://ubuntu.com/security/CVE-2024-58061", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: prohibit deactivating all links In the internal API this calls this is a WARN_ON, but that should remain since internally we want to know about bugs that may cause this. Prevent deactivating all links in the debugfs write directly.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57993", "url": "https://ubuntu.com/security/CVE-2024-57993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check syzbot has found a type mismatch between a USB pipe and the transfer endpoint, which is triggered by the hid-thrustmaster driver[1]. There is a number of similar, already fixed issues [2]. In this case as in others, implementing check for endpoint type fixes the issue. [1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470 [2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21812", "url": "https://ubuntu.com/security/CVE-2025-21812", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible UAF in ax25. [1] WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted ------------------------------------------------------ syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 but task is already holding lock: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_AX25){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 lock_sock_nested+0x48/0x100 net/core/sock.c:3642 lock_sock include/net/sock.h:1618 [inline] ax25_kill_by_device net/ax25/af_ax25.c:101 [inline] ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026 dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820 sock_do_ioctl+0x240/0x460 net/socket.c:1234 sock_ioctl+0x626/0x8e0 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (rtnl_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 do_sock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __do_sys_setsockopt net/socket.c:2355 [inline] __se_sys_setsockopt net/socket.c:2352 [inline] __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_AX25); lock(rtnl_mutex); lock(sk_lock-AF_AX25); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/lockin ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2024-58071", "url": "https://ubuntu.com/security/CVE-2024-58071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: team: prevent adding a device which is already a team device lower Prevent adding a device which is already a team device lower, e.g. adding veth0 if vlan1 was already added and veth0 is a lower of vlan1. This is not useful in practice and can lead to recursive locking: $ ip link add veth0 type veth peer name veth1 $ ip link set veth0 up $ ip link set veth1 up $ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1 $ ip link add team0 type team $ ip link set veth0.1 down $ ip link set veth0.1 master team0 team0: Port device veth0.1 added $ ip link set veth0 down $ ip link set veth0 master team0 ============================================ WARNING: possible recursive locking detected 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted -------------------------------------------- ip/7684 is trying to acquire lock: ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) but task is already holding lock: ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_add_slave (drivers/net/team/team_core.c:1147 drivers/net/team/team_core.c:1977) other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(team->team_lock_key); lock(team->team_lock_key); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by ip/7684: stack backtrace: CPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:122) print_deadlock_bug.cold (kernel/locking/lockdep.c:3040) __lock_acquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226) ? netlink_broadcast_filtered (net/netlink/af_netlink.c:1548) lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 2)) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? lock_acquire (kernel/locking/lockdep.c:5822) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) __mutex_lock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? fib_sync_up (net/ipv4/fib_semantics.c:2167) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) notifier_call_chain (kernel/notifier.c:85) call_netdevice_notifiers_info (net/core/dev.c:1996) __dev_notify_flags (net/core/dev.c:8993) ? __dev_change_flags (net/core/dev.c:8975) dev_change_flags (net/core/dev.c:9027) vlan_device_event (net/8021q/vlan.c:85 net/8021q/vlan.c:470) ? br_device_event (net/bridge/br.c:143) notifier_call_chain (kernel/notifier.c:85) call_netdevice_notifiers_info (net/core/dev.c:1996) dev_open (net/core/dev.c:1519 net/core/dev.c:1505) team_add_slave (drivers/net/team/team_core.c:1219 drivers/net/team/team_core.c:1977) ? __pfx_team_add_slave (drivers/net/team/team_core.c:1972) do_set_master (net/core/rtnetlink.c:2917) do_setlink.isra.0 (net/core/rtnetlink.c:3117)", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58063", "url": "https://ubuntu.com/security/CVE-2024-58063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: fix memory leaks and invalid access at probe error path Deinitialize at reverse order when probe fails. When init_sw_vars fails, rtl_deinit_core should not be called, specially now that it destroys the rtl_wq workqueue. And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be leaked. Remove pci_set_drvdata call as it will already be cleaned up by the core driver code and could lead to memory leaks too. cf. commit 8d450935ae7f (\"wireless: rtlwifi: remove unnecessary pci_set_drvdata()\") and commit 3d86b93064c7 (\"rtlwifi: Fix PCI probe error path orphaned memory\").", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58072", "url": "https://ubuntu.com/security/CVE-2024-58072", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: remove unused check_buddy_priv Commit 2461c7d60f9f (\"rtlwifi: Update header file\") introduced a global list of private data structures. Later on, commit 26634c4b1868 (\"rtlwifi Modify existing bits to match vendor version 2013.02.07\") started adding the private data to that list at probe time and added a hook, check_buddy_priv to find the private data from a similar device. However, that function was never used. Besides, though there is a lock for that list, it is never used. And when the probe fails, the private data is never removed from the list. This would cause a second probe to access freed memory. Remove the unused hook, structures and members, which will prevent the potential race condition on the list and its corruption during a second probe when probe fails.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58053", "url": "https://ubuntu.com/security/CVE-2024-58053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix handling of received connection abort Fix the handling of a connection abort that we've received. Though the abort is at the connection level, it needs propagating to the calls on that connection. Whilst the propagation bit is performed, the calls aren't then woken up to go and process their termination, and as no further input is forthcoming, they just hang. Also add some tracing for the logging of connection aborts.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57997", "url": "https://ubuntu.com/security/CVE-2024-57997", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: wcn36xx: fix channel survey memory allocation size KASAN reported a memory allocation issue in wcn->chan_survey due to incorrect size calculation. This commit uses kcalloc to allocate memory for wcn->chan_survey, ensuring proper initialization and preventing the use of uninitialized values when there are no frames on the channel.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58051", "url": "https://ubuntu.com/security/CVE-2024-58051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: Add check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58068", "url": "https://ubuntu.com/security/CVE-2024-58068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized If a driver calls dev_pm_opp_find_bw_ceil/floor() the retrieve bandwidth from the OPP table but the bandwidth table was not created because the interconnect properties were missing in the OPP consumer node, the kernel will crash with: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 ... pc : _read_bw+0x8/0x10 lr : _opp_table_find_key+0x9c/0x174 ... Call trace: _read_bw+0x8/0x10 (P) _opp_table_find_key+0x9c/0x174 (L) _find_key+0x98/0x168 dev_pm_opp_find_bw_ceil+0x50/0x88 ... In order to fix the crash, create an assert function to check if the bandwidth table was created before trying to get a bandwidth with _read_bw().", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57998", "url": "https://ubuntu.com/security/CVE-2024-57998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: OPP: add index check to assert to avoid buffer overflow in _read_freq() Pass the freq index to the assert function to make sure we do not read a freq out of the opp->rates[] table when called from the indexed variants: dev_pm_opp_find_freq_exact_indexed() or dev_pm_opp_find_freq_ceil/floor_indexed(). Add a secondary parameter to the assert function, unused for assert_single_clk() then add assert_clk_index() which will check for the clock index when called from the _indexed() find functions.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58052", "url": "https://ubuntu.com/security/CVE-2024-58052", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table The function atomctrl_get_smc_sclk_range_table() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve SMU_Info table, it returns NULL which is later dereferenced. Found by Linux Verification Center (linuxtesting.org) with SVACE. In practice this should never happen as this code only gets called on polaris chips and the vbios data table will always be present on those chips.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57986", "url": "https://ubuntu.com/security/CVE-2024-57986", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections A report in 2019 by the syzbot fuzzer was found to be connected to two errors in the HID core associated with Resolution Multipliers. One of the errors was fixed by commit ea427a222d8b (\"HID: core: Fix deadloop in hid_apply_multiplier.\"), but the other has not been fixed. This error arises because hid_apply_multipler() assumes that every Resolution Multiplier control is contained in a Logical Collection, i.e., there's no way the routine can ever set multiplier_collection to NULL. This is in spite of the fact that the function starts with a big comment saying: \t * \"The Resolution Multiplier control must be contained in the same \t * Logical Collection as the control(s) to which it is to be applied. \t ... \t * If no Logical Collection is \t * defined, the Resolution Multiplier is associated with all \t * controls in the report.\" \t * HID Usage Table, v1.12, Section 4.3.1, p30 \t * \t * Thus, search from the current collection upwards until we find a \t * logical collection... The comment and the code overlook the possibility that none of the collections found may be a Logical Collection. The fix is to set the multiplier_collection pointer to NULL if the collection found isn't a Logical Collection.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21731", "url": "https://ubuntu.com/security/CVE-2025-21731", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37798", "url": "https://ubuntu.com/security/CVE-2025-37798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue().", "cve_priority": "medium", "cve_public_date": "2025-05-02 15:15:00 UTC" }, { "cve": "CVE-2025-37997", "url": "https://ubuntu.com/security/CVE-2025-37997", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-22088", "url": "https://ubuntu.com/security/CVE-2025-22088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. Fix this issue.", "cve_priority": "high", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-37890", "url": "https://ubuntu.com/security/CVE-2025-37890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-16 13:15:00 UTC" }, { "cve": "CVE-2025-2312", "url": "https://ubuntu.com/security/CVE-2025-2312", "cve_description": "A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache.", "cve_priority": "medium", "cve_public_date": "2025-03-25 18:15:00 UTC" }, { "cve": "CVE-2025-21689", "url": "https://ubuntu.com/security/CVE-2025-21689", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() This patch addresses a null-ptr-deref in qt2_process_read_urb() due to an incorrect bounds check in the following: if (newport > serial->num_ports) { dev_err(&port->dev, \"%s - port change to invalid port: %i\\n\", __func__, newport); break; } The condition doesn't account for the valid range of the serial->port buffer, which is from 0 to serial->num_ports - 1. When newport is equal to serial->num_ports, the assignment of \"port\" in the following code is out-of-bounds and NULL: serial_priv->current_port = newport; port = serial->port[serial_priv->current_port]; The fix checks if newport is greater than or equal to serial->num_ports indicating it is out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2025-02-10 16:15:00 UTC" }, { "cve": "CVE-2025-21690", "url": "https://ubuntu.com/security/CVE-2025-21690", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM.", "cve_priority": "medium", "cve_public_date": "2025-02-10 16:15:00 UTC" }, { "cve": "CVE-2025-21691", "url": "https://ubuntu.com/security/CVE-2025-21691", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb (\"cachestat: implement cachestat syscall\"), it was meant to be a much more convenient (and performant) version of mincore() that didn't need mapping things into the user virtual address space in order to work. But it ended up missing the \"check for writability or ownership\" fix for mincore(), done in commit 134fca9063ad (\"mm/mincore.c: make mincore() more conservative\"). This just adds equivalent logic to 'cachestat()', modified for the file context (rather than vma).", "cve_priority": "medium", "cve_public_date": "2025-02-10 16:15:00 UTC" }, { "cve": "CVE-2025-21692", "url": "https://ubuntu.com/security/CVE-2025-21692", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] [ 18.888610] ---[ end trace ]---", "cve_priority": "medium", "cve_public_date": "2025-02-10 16:15:00 UTC" }, { "cve": "CVE-2025-21699", "url": "https://ubuntu.com/security/CVE-2025-21699", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two.", "cve_priority": "medium", "cve_public_date": "2025-02-12 14:15:00 UTC" }, { "cve": "CVE-2024-50157", "url": "https://ubuntu.com/security/CVE-2024-50157", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Driver waits indefinitely for the fifo occupancy to go below a threshold as soon as the pacing interrupt is received. This can cause soft lockup on one of the processors, if the rate of DB is very high. Add a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th if the loop is taking more time. Pacing will be continuing until the occupancy is below the threshold. This is ensured by the checks in bnxt_re_pacing_timer_exp and further scheduling the work for pacing based on the fifo occupancy.", "cve_priority": "medium", "cve_public_date": "2024-11-07 10:15:00 UTC" }, { "cve": "CVE-2025-21672", "url": "https://ubuntu.com/security/CVE-2025-21672", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Fix merge preference rule failure condition syzbot reported a lock held when returning to userspace[1]. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released. Fix this by store the error in ret and jump to done to clean up instead of returning directly. [dh: Modified Lizhi Xu's original patch to make it honour the error code from afs_split_string()] [1] WARNING: lock held when returning to user space! 6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted ------------------------------------------------ syz-executor133/5823 is leaving the kernel with locks still held! 1 lock held by syz-executor133/5823: #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline] #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21682", "url": "https://ubuntu.com/security/CVE-2025-21682", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: always recalculate features after XDP clearing, fix null-deref Recalculate features when XDP is detached. Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on] After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn't handle reconfiguring two things at a time very robustly. Starting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in __bnxt_reserve_rings()\") we only reconfigure the RSS hash table if the \"effective\" number of Rx rings has changed. If HW-GRO is enabled \"effective\" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement \"pending\" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the: if (old_rx_rings != bp->hw_resc.resv_rx_rings && condition in __bnxt_reserve_rings() will be false. The RSS map won't get updated, and we'll crash with: BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0 As we try to access a freed ring. The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in __bnxt_reserve_rings()\") it wasn't causing major issues.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2024-53124", "url": "https://ubuntu.com/security/CVE-2024-53124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix data-races around sk->sk_forward_alloc Syzkaller reported this warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __warn+0x88/0x130 ? inet_sock_destruct+0x1c5/0x1e0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x1c5/0x1e0 __sk_destruct+0x2a/0x200 rcu_do_batch+0x1aa/0x530 ? rcu_do_batch+0x13b/0x530 rcu_core+0x159/0x2f0 handle_softirqs+0xd3/0x2b0 ? __pfx_smpboot_thread_fn+0x10/0x10 run_ksoftirqd+0x25/0x30 smpboot_thread_fn+0xdd/0x1d0 kthread+0xd3/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ---[ end trace 0000000000000000 ]--- Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add() concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked, which triggers a data-race around sk->sk_forward_alloc: tcp_v6_rcv tcp_v6_do_rcv skb_clone_and_charge_r sk_rmem_schedule __sk_mem_schedule sk_forward_alloc_add() skb_set_owner_r sk_mem_charge sk_forward_alloc_add() __kfree_skb skb_release_all skb_release_head_state sock_rfree sk_mem_uncharge sk_forward_alloc_add() sk_mem_reclaim // set local var reclaimable __sk_mem_reclaim sk_forward_alloc_add() In this syzkaller testcase, two threads call tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like this: (cpu 1) | (cpu 2) | sk_forward_alloc ... | ... | 0 __sk_mem_schedule() | | +4096 = 4096 | __sk_mem_schedule() | +4096 = 8192 sk_mem_charge() | | -768 = 7424 | sk_mem_charge() | -768 = 6656 ... | ... | sk_mem_uncharge() | | +768 = 7424 reclaimable=7424 | | | sk_mem_uncharge() | +768 = 8192 | reclaimable=8192 | __sk_mem_reclaim() | | -4096 = 4096 | __sk_mem_reclaim() | -8192 = -4096 != 0 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock(). Fix the same issue in dccp_v6_do_rcv().", "cve_priority": "medium", "cve_public_date": "2024-12-02 14:15:00 UTC" }, { "cve": "CVE-2024-57924", "url": "https://ubuntu.com/security/CVE-2024-57924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 (\"ovl: support encoding non-decodable file handles\") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6.", "cve_priority": "medium", "cve_public_date": "2025-01-19 12:15:00 UTC" }, { "cve": "CVE-2024-57951", "url": "https://ubuntu.com/security/CVE-2024-57951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to CPUHP_ONLINE: Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set to 1 throughout. However, during a CPU unplug operation, the tick and the clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online state, for instance CFS incorrectly assumes that the hrtick is already active, and the chance of the clockevent device to transition to oneshot mode is also lost forever for the CPU, unless it goes back to a lower state than CPUHP_HRTIMERS_PREPARE once. This round-trip reveals another issue; cpu_base.online is not set to 1 after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer(). Aside of that, the bulk of the per CPU state is not reset either, which means there are dangling pointers in the worst case. Address this by adding a corresponding startup() callback, which resets the stale per CPU state and sets the online flag. [ tglx: Make the new callback unconditionally available, remove the online \tmodification in the prepare() callback and clear the remaining \tstate in the starting callback instead of the prepare callback ]", "cve_priority": "medium", "cve_public_date": "2025-02-12 14:15:00 UTC" }, { "cve": "CVE-2024-57949", "url": "https://ubuntu.com/security/CVE-2024-57949", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() The following call-chain leads to enabling interrupts in a nested interrupt disabled section: irq_set_vcpu_affinity() irq_get_desc_lock() raw_spin_lock_irqsave() <--- Disable interrupts its_irq_set_vcpu_affinity() guard(raw_spinlock_irq) <--- Enables interrupts when leaving the guard() irq_put_desc_unlock() <--- Warns because interrupts are enabled This was broken in commit b97e8a2f7130, which replaced the original raw_spin_[un]lock() pair with guard(raw_spinlock_irq). Fix the issue by using guard(raw_spinlock). [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-02-09 12:15:00 UTC" }, { "cve": "CVE-2025-21668", "url": "https://ubuntu.com/security/CVE-2025-21668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: add missing loop break condition Currently imx8mp_blk_ctrl_remove() will continue the for loop until an out-of-bounds exception occurs. pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_pm_domain_detach+0x8/0x48 lr : imx8mp_blk_ctrl_shutdown+0x58/0x90 sp : ffffffc084f8bbf0 x29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000 x26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028 x23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0 x20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff x17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72 x14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000 x11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8 x8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: dev_pm_domain_detach+0x8/0x48 platform_shutdown+0x2c/0x48 device_shutdown+0x158/0x268 kernel_restart_prepare+0x40/0x58 kernel_kexec+0x58/0xe8 __do_sys_reboot+0x198/0x258 __arm64_sys_reboot+0x2c/0x40 invoke_syscall+0x5c/0x138 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 Code: 8128c2d0 ffffffc0 aa1e03e9 d503201f", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21684", "url": "https://ubuntu.com/security/CVE-2025-21684", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208)", "cve_priority": "medium", "cve_public_date": "2025-02-09 12:15:00 UTC" }, { "cve": "CVE-2025-21694", "url": "https://ubuntu.com/security/CVE-2025-21694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix softlockup in __read_vmcore (part 2) Since commit 5cbcb62dddf5 (\"fs/proc: fix softlockup in __read_vmcore\") the number of softlockups in __read_vmcore at kdump time have gone down, but they still happen sometimes. In a memory constrained environment like the kdump image, a softlockup is not just a harmless message, but it can interfere with things like RCU freeing memory, causing the crashdump to get stuck. The second loop in __read_vmcore has a lot more opportunities for natural sleep points, like scheduling out while waiting for a data write to happen, but apparently that is not always enough. Add a cond_resched() to the second loop in __read_vmcore to (hopefully) get rid of the softlockups.", "cve_priority": "medium", "cve_public_date": "2025-02-12 14:15:00 UTC" }, { "cve": "CVE-2025-21665", "url": "https://ubuntu.com/security/CVE-2025-21665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21666", "url": "https://ubuntu.com/security/CVE-2025-21666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have more in the future, so to avoid null-ptr-deref, we can return 0 (no space, no data available) but with a warning. This way the code should continue to run in a nearly consistent state and have a warning that allows us to debug future problems.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21669", "url": "https://ubuntu.com/security/CVE-2025-21669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: discard packets if the transport changes If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport. A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21670", "url": "https://ubuntu.com/security/CVE-2025-21670", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/bpf: return early if transport is not assigned Some of the core functions can only be called if the transport has been assigned. As Michal reported, a socket might have the transport at NULL, for example after a failed connect(), causing the following trace: BUG: kernel NULL pointer dereference, address: 00000000000000a0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+ RIP: 0010:vsock_connectible_has_data+0x1f/0x40 Call Trace: vsock_bpf_recvmsg+0xca/0x5e0 sock_recvmsg+0xb9/0xc0 __sys_recvfrom+0xb3/0x130 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e So we need to check the `vsk->transport` in vsock_bpf_recvmsg(), especially for connected sockets (stream/seqpacket) as we already do in __vsock_connectible_recvmsg().", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21667", "url": "https://ubuntu.com/security/CVE-2025-21667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2024-57948", "url": "https://ubuntu.com/security/CVE-2024-57948", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0\t\t\t\t\tCPU1 ====\t\t\t\t\t==== genl_family_rcv_msg_doit\t\tieee802154_unregister_hw ieee802154_del_iface\t\t\tieee802154_remove_interfaces rdev_del_virtual_intf_deprecated\tlist_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21673", "url": "https://ubuntu.com/security/CVE-2025-21673", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 ", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21697", "url": "https://ubuntu.com/security/CVE-2025-21697", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Ensure job pointer is set to NULL after job completion After a job completes, the corresponding pointer in the device must be set to NULL. Failing to do so triggers a warning when unloading the driver, as it appears the job is still active. To prevent this, assign the job pointer to NULL after completing the job, indicating the job has finished.", "cve_priority": "medium", "cve_public_date": "2025-02-12 14:15:00 UTC" }, { "cve": "CVE-2025-21674", "url": "https://ubuntu.com/security/CVE-2025-21674", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Attempt to enable IPsec packet offload in tunnel mode in debug kernel generates the following kernel panic, which is happening due to two issues: 1. In SA add section, the should be _bh() variant when marking SA mode. 2. There is not needed flush_workqueue in SA delete routine. It is not needed as at this stage as it is removed from SADB and the running work will be canceled later in SA free. ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 6.12.0+ #4 Not tainted ----------------------------------------------------- charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire: ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] and this task is already holding: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 which would create a new lock dependency: (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (&x->lock){+.-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138 to a SOFTIRQ-irq-unsafe lock: (&xa->xa_lock#24){+.+.}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xa->xa_lock#24); local_irq_disable(); lock(&x->lock); lock(&xa->xa_lock#24); lock(&x->lock); *** DEADLOCK *** 2 locks held by charon/1337: #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90 #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&x->lock){+.-.}-{3:3} ops: 29 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 IN-SOFTIRQ-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21675", "url": "https://ubuntu.com/security/CVE-2025-21675", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clear port select structure when fail to create Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-destroyed and cause kernel crash: mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 1 mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 0 mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] process_one_work+0x170/0x3e0 worker_thread+0x2d8/0x3e0 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21676", "url": "https://ubuntu.com/security/CVE-2025-21676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fec: handle page_pool_dev_alloc_pages error The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did not handle the case when it returned NULL. There was a WARN_ON(!new_page) but it would still proceed to use the NULL pointer and then crash. This case does seem somewhat rare but when the system is under memory pressure it can happen. One case where I can duplicate this with some frequency is when writing over a smbd share to a SATA HDD attached to an imx6q. Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve the problem for my test case. But it still seems wrong that the fec driver ignores the memory allocation error and can crash. This commit handles the allocation error by dropping the current packet.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21678", "url": "https://ubuntu.com/security/CVE-2025-21678", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21680", "url": "https://ubuntu.com/security/CVE-2025-21680", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. [ fp: allow to fill the array completely; minor changelog cleanup ]", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21681", "url": "https://ubuntu.com/security/CVE-2025-21681", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core forever. But unfortunately, checking just the carrier status is not enough to fix the issue, because some devices may still be in unregistering state while reporting carrier status OK. One example of such device is a net/dummy. It sets carrier ON on start, but it doesn't implement .ndo_stop to set the carrier off. And it makes sense, because dummy doesn't really have a carrier. Therefore, while this device is unregistering, it's still easy to hit the infinite loop in the skb_tx_hash() from the OVS datapath. There might be other drivers that do the same, but dummy by itself is important for the OVS ecosystem, because it is frequently used as a packet sink for tcpdump while debugging OVS deployments. And when the issue is hit, the only way to recover is to reboot. Fix that by also checking if the device is running. The running state is handled by the net core during unregistering, so it covers unregistering case better, and we don't really need to send packets to devices that are not running anyway. While only checking the running state might be enough, the carrier check is preserved. The running and the carrier states seem disjoined throughout the code and different drivers. And other core functions like __dev_direct_xmit() check both before attempting to transmit a packet. So, it seems safer to check both flags in OVS as well.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21683", "url": "https://ubuntu.com/security/CVE-2025-21683", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_sk_select_reuseport() memory leak As pointed out in the original comment, lookup in sockmap can return a TCP ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb does not imply a non-refcounted socket. Drop sk's reference in both error paths. unreferenced object 0xffff888101911800 (size 2048): comm \"test_progs\", pid 44109, jiffies 4297131437 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 9336483b): __kmalloc_noprof+0x3bf/0x560 __reuseport_alloc+0x1d/0x40 reuseport_alloc+0xca/0x150 reuseport_attach_prog+0x87/0x140 sk_reuseport_attach_bpf+0xc8/0x100 sk_setsockopt+0x1181/0x1990 do_sock_setsockopt+0x12b/0x160 __sys_setsockopt+0x7b/0xc0 __x64_sys_setsockopt+0x1b/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2114668, 2112462, 2114174, 2114174, 2114174, 2114174, 2110090, 2114239, 2109951, 2106558, 2109609, 2100340, 2111599, 2106381, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2112519, 1786013, 2110737, 2111244, 2109859, 2099914, 2109640, 2109640, 2109640, 2109640, 2109640, 2109640, 2109640, 2077384, 2103496, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 1786013 ], "changes": [ { "cves": [ { "cve": "CVE-2025-37946", "url": "https://ubuntu.com/security/CVE-2025-37946", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 (\"s390/pci: introduce lock to synchronize state of zpci_dev's\") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put().", "cve_priority": "medium", "cve_public_date": "2025-05-20 16:15:00 UTC" }, { "cve": "CVE-2025-37974", "url": "https://ubuntu.com/security/CVE-2025-37974", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix missing check for zpci_create_device() error return The zpci_create_device() function returns an error pointer that needs to be checked before dereferencing it as a struct zpci_dev pointer. Add the missing check in __clp_add() where it was missed when adding the scan_list in the fixed commit. Simply not adding the device to the scan list results in the previous behavior.", "cve_priority": "medium", "cve_public_date": "2025-05-20 17:15:00 UTC" }, { "cve": "CVE-2024-56699", "url": "https://ubuntu.com/security/CVE-2024-56699", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix potential double remove of hotplug slot In commit 6ee600bfbe0f (\"s390/pci: remove hotplug slot when releasing the device\") the zpci_exit_slot() was moved from zpci_device_reserved() to zpci_release_device() with the intention of keeping the hotplug slot around until the device is actually removed. Now zpci_release_device() is only called once all references are dropped. Since the zPCI subsystem only drops its reference once the device is in the reserved state it follows that zpci_release_device() must only deal with devices in the reserved state. Despite that it contains code to tear down from both configured and standby state. For the standby case this already includes the removal of the hotplug slot so would cause a double removal if a device was ever removed in either configured or standby state. Instead of causing a potential double removal in a case that should never happen explicitly WARN_ON() if a device in non-reserved state is released and get rid of the dead code cases.", "cve_priority": "medium", "cve_public_date": "2024-12-28 10:15:00 UTC" }, { "cve": "CVE-2025-37750", "url": "https://ubuntu.com/security/CVE-2025-37750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in decryption with multichannel After commit f7025d861694 (\"smb: client: allocate crypto only for primary server\") and commit b0abcd65ec54 (\"smb: client: fix UAF in async decryption\"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption. This fixes the following KASAN splat when running fstest generic/249 with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows Server 2022: BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110 Read of size 8 at addr ffff8881046c18a0 by task cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: dump_stack_lvl+0x5d/0x80 print_report+0x156/0x528 ? gf128mul_4k_lle+0xba/0x110 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? gf128mul_4k_lle+0xba/0x110 kasan_report+0xdf/0x1a0 ? gf128mul_4k_lle+0xba/0x110 gf128mul_4k_lle+0xba/0x110 ghash_update+0x189/0x210 shash_ahash_update+0x295/0x370 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_extract_iter_to_sg+0x10/0x10 ? ___kmalloc_large_node+0x10e/0x180 ? __asan_memset+0x23/0x50 crypto_ahash_update+0x3c/0xc0 gcm_hash_assoc_remain_continue+0x93/0xc0 crypt_message+0xe09/0xec0 [cifs] ? __pfx_crypt_message+0x10/0x10 [cifs] ? _raw_spin_unlock+0x23/0x40 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs] decrypt_raw_data+0x229/0x380 [cifs] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs] smb3_receive_transform+0x837/0xc80 [cifs] ? __pfx_smb3_receive_transform+0x10/0x10 [cifs] ? __pfx___might_resched+0x10/0x10 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs] cifs_demultiplex_thread+0x692/0x1570 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? rcu_lockdep_current_cpu_online+0x62/0xb0 ? find_held_lock+0x32/0x90 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xd/0xd0 ? trace_irq_enable.constprop.0+0xa8/0xe0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x60 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-05-01 13:15:00 UTC" }, { "cve": "CVE-2025-40364", "url": "https://ubuntu.com/security/CVE-2025-40364", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix io_req_prep_async with provided buffers io_req_prep_async() can import provided buffers, commit the ring state by giving up on that before, it'll be reimported later if needed.", "cve_priority": "medium", "cve_public_date": "2025-04-18 14:15:00 UTC" }, { "cve": "CVE-2024-49887", "url": "https://ubuntu.com/security/CVE-2024-49887", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to don't panic system for no free segment fault injection f2fs: fix to don't panic system for no free segment fault injection syzbot reports a f2fs bug as below: F2FS-fs (loop0): inject no free segment in get_new_segment of __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167 F2FS-fs (loop0): Stopped filesystem due to reason: 7 ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2748! CPU: 0 UID: 0 PID: 5109 Comm: syz-executor304 Not tainted 6.11.0-rc6-syzkaller-00363-g89f5e14d05b4 #0 RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline] RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836 Call Trace: __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167 f2fs_allocate_new_section fs/f2fs/segment.c:3181 [inline] f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3195 f2fs_expand_inode_data+0x5d6/0xbb0 fs/f2fs/file.c:1799 f2fs_fallocate+0x448/0x960 fs/f2fs/file.c:1903 vfs_fallocate+0x553/0x6c0 fs/open.c:334 do_vfs_ioctl+0x2592/0x2e50 fs/ioctl.c:886 __do_sys_ioctl fs/ioctl.c:905 [inline] __se_sys_ioctl+0x81/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline] RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836 The root cause is when we inject no free segment fault into f2fs, we should not panic system, fix it.", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" }, { "cve": "CVE-2024-57975", "url": "https://ubuntu.com/security/CVE-2024-57975", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do proper folio cleanup when run_delalloc_nocow() failed [BUG] With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash with the following VM_BUG_ON_FOLIO(): BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28 BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28 page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664 aops:btrfs_aops [btrfs] ino:101 dentry name(?):\"f1774\" flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff) page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio)) ------------[ cut here ]------------ kernel BUG at mm/page-writeback.c:2992! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : folio_clear_dirty_for_io+0x128/0x258 lr : folio_clear_dirty_for_io+0x128/0x258 Call trace: folio_clear_dirty_for_io+0x128/0x258 btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs] __process_folios_contig+0x154/0x268 [btrfs] extent_clear_unlock_delalloc+0x5c/0x80 [btrfs] run_delalloc_nocow+0x5f8/0x760 [btrfs] btrfs_run_delalloc_range+0xa8/0x220 [btrfs] writepage_delalloc+0x230/0x4c8 [btrfs] extent_writepage+0xb8/0x358 [btrfs] extent_write_cache_pages+0x21c/0x4e8 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x178/0x3a8 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] The first two lines of extra debug messages show the problem is caused by the error handling of run_delalloc_nocow(). E.g. we have the following dirtied range (4K blocksize 4K page size): 0 16K 32K |//////////////////////////////////////| | Pre-allocated | And the range [0, 16K) has a preallocated extent. - Enter run_delalloc_nocow() for range [0, 16K) Which found range [0, 16K) is preallocated, can do the proper NOCOW write. - Enter fallback_to_fow() for range [16K, 32K) Since the range [16K, 32K) is not backed by preallocated extent, we have to go COW. - cow_file_range() failed for range [16K, 32K) So cow_file_range() will do the clean up by clearing folio dirty, unlock the folios. Now the folios in range [16K, 32K) is unlocked. - Enter extent_clear_unlock_delalloc() from run_delalloc_nocow() Which is called with PAGE_START_WRITEBACK to start page writeback. But folios can only be marked writeback when it's properly locked, thus this triggered the VM_BUG_ON_FOLIO(). Furthermore there is another hidden but common bug that run_delalloc_nocow() is not clearing the folio dirty flags in its error handling path. This is the common bug shared between run_delalloc_nocow() and cow_file_range(). [FIX] - Clear folio dirty for range [@start, @cur_offset) Introduce a helper, cleanup_dirty_folios(), which will find and lock the folio in the range, clear the dirty flag and start/end the writeback, with the extra handling for the @locked_folio. - Introduce a helper to clear folio dirty, start and end writeback - Introduce a helper to record the last failed COW range end This is to trace which range we should skip, to avoid double unlocking. - Skip the failed COW range for the e ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21714", "url": "https://ubuntu.com/security/CVE-2025-21714", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are destroying this specific mr. Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and trace below. refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130 Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib] RIP: 0010:refcount_warn_saturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? refcount_warn_saturate+0x12b/0x130 free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib] process_one_work+0x1cc/0x3c0 worker_thread+0x218/0x3c0 kthread+0xc6/0xf0 ret_from_fork+0x1f/0x30 ", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21801", "url": "https://ubuntu.com/security/CVE-2025-21801", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ravb: Fix missing rtnl lock in suspend/resume path Fix the suspend/resume path by ensuring the rtnl lock is held where required. Calls to ravb_open, ravb_close and wol operations must be performed under the rtnl lock to prevent conflicts with ongoing ndo operations. Without this fix, the following warning is triggered: [ 39.032969] ============================= [ 39.032983] WARNING: suspicious RCU usage [ 39.033019] ----------------------------- [ 39.033033] drivers/net/phy/phy_device.c:2004 suspicious rcu_dereference_protected() usage! ... [ 39.033597] stack backtrace: [ 39.033613] CPU: 0 UID: 0 PID: 174 Comm: python3 Not tainted 6.13.0-rc7-next-20250116-arm64-renesas-00002-g35245dfdc62c #7 [ 39.033623] Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) [ 39.033628] Call trace: [ 39.033633] show_stack+0x14/0x1c (C) [ 39.033652] dump_stack_lvl+0xb4/0xc4 [ 39.033664] dump_stack+0x14/0x1c [ 39.033671] lockdep_rcu_suspicious+0x16c/0x22c [ 39.033682] phy_detach+0x160/0x190 [ 39.033694] phy_disconnect+0x40/0x54 [ 39.033703] ravb_close+0x6c/0x1cc [ 39.033714] ravb_suspend+0x48/0x120 [ 39.033721] dpm_run_callback+0x4c/0x14c [ 39.033731] device_suspend+0x11c/0x4dc [ 39.033740] dpm_suspend+0xdc/0x214 [ 39.033748] dpm_suspend_start+0x48/0x60 [ 39.033758] suspend_devices_and_enter+0x124/0x574 [ 39.033769] pm_suspend+0x1ac/0x274 [ 39.033778] state_store+0x88/0x124 [ 39.033788] kobj_attr_store+0x14/0x24 [ 39.033798] sysfs_kf_write+0x48/0x6c [ 39.033808] kernfs_fop_write_iter+0x118/0x1a8 [ 39.033817] vfs_write+0x27c/0x378 [ 39.033825] ksys_write+0x64/0xf4 [ 39.033833] __arm64_sys_write+0x18/0x20 [ 39.033841] invoke_syscall+0x44/0x104 [ 39.033852] el0_svc_common.constprop.0+0xb4/0xd4 [ 39.033862] do_el0_svc+0x18/0x20 [ 39.033870] el0_svc+0x3c/0xf0 [ 39.033880] el0t_64_sync_handler+0xc0/0xc4 [ 39.033888] el0t_64_sync+0x154/0x158 [ 39.041274] ravb 11c30000.ethernet eth0: Link is Down", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21809", "url": "https://ubuntu.com/security/CVE-2025-21809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix peer hash locking vs RCU callback In its address list, afs now retains pointers to and refs on one or more rxrpc_peer objects. The address list is freed under RCU and at this time, it puts the refs on those peers. Now, when an rxrpc_peer object runs out of refs, it gets removed from the peer hash table and, for that, rxrpc has to take a spinlock. However, it is now being called from afs's RCU cleanup, which takes place in BH context - but it is just taking an ordinary spinlock. The put may also be called from non-BH context, and so there exists the possibility of deadlock if the BH-based RCU cleanup happens whilst the hash spinlock is held. This led to the attached lockdep complaint. Fix this by changing spinlocks of rxnet->peer_hash_lock back to BH-disabling locks. ================================ WARNING: inconsistent lock state 6.13.0-rc5-build2+ #1223 Tainted: G E -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. swapper/1/0 [HC0[0]:SC1[1]:HE1:SE0] takes: ffff88810babe228 (&rxnet->peer_hash_lock){+.?.}-{3:3}, at: rxrpc_put_peer+0xcb/0x180 {SOFTIRQ-ON-W} state was registered at: mark_usage+0x164/0x180 __lock_acquire+0x544/0x990 lock_acquire.part.0+0x103/0x280 _raw_spin_lock+0x2f/0x40 rxrpc_peer_keepalive_worker+0x144/0x440 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x19b/0x1b0 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 irq event stamp: 972402 hardirqs last enabled at (972402): [] _raw_spin_unlock_irqrestore+0x2e/0x50 hardirqs last disabled at (972401): [] _raw_spin_lock_irqsave+0x18/0x60 softirqs last enabled at (972300): [] handle_softirqs+0x3ee/0x430 softirqs last disabled at (972313): [] __irq_exit_rcu+0x44/0x110 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rxnet->peer_hash_lock); lock(&rxnet->peer_hash_lock); *** DEADLOCK *** 1 lock held by swapper/1/0: #0: ffffffff83576be0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire+0x7/0x30 stack backtrace: CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G E 6.13.0-rc5-build2+ #1223 Tainted: [E]=UNSIGNED_MODULE Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: dump_stack_lvl+0x57/0x80 print_usage_bug.part.0+0x227/0x240 valid_state+0x53/0x70 mark_lock_irq+0xa5/0x2f0 mark_lock+0xf7/0x170 mark_usage+0xe1/0x180 __lock_acquire+0x544/0x990 lock_acquire.part.0+0x103/0x280 _raw_spin_lock+0x2f/0x40 rxrpc_put_peer+0xcb/0x180 afs_free_addrlist+0x46/0x90 [kafs] rcu_do_batch+0x2d2/0x640 rcu_core+0x2f7/0x350 handle_softirqs+0x1ee/0x430 __irq_exit_rcu+0x44/0x110 irq_exit_rcu+0xa/0x30 sysvec_apic_timer_interrupt+0x7f/0xa0 ", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2024-58057", "url": "https://ubuntu.com/security/CVE-2024-58057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: convert workqueues to unbound When a workqueue is created with `WQ_UNBOUND`, its work items are served by special worker-pools, whose host workers are not bound to any specific CPU. In the default configuration (i.e. when `queue_delayed_work` and friends do not specify which CPU to run the work item on), `WQ_UNBOUND` allows the work item to be executed on any CPU in the same node of the CPU it was enqueued on. While this solution potentially sacrifices locality, it avoids contention with other processes that might dominate the CPU time of the processor the work item was scheduled on. This is not just a theoretical problem: in a particular scenario misconfigured process was hogging most of the time from CPU0, leaving less than 0.5% of its CPU time to the kworker. The IDPF workqueues that were using the kworker on CPU0 suffered large completion delays as a result, causing performance degradation, timeouts and eventual system crash. * I have also run a manual test to gauge the performance improvement. The test consists of an antagonist process (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This process is run under `taskset 01` to bind it to CPU0, and its priority is changed with `chrt -pQ 9900 10000 ${pid}` and `renice -n -20 ${pid}` after start. Then, the IDPF driver is forced to prefer CPU0 by editing all calls to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0. Finally, `ktraces` for the workqueue events are collected. Without the current patch, the antagonist process can force arbitrary delays between `workqueue_queue_work` and `workqueue_execute_start`, that in my tests were as high as `30ms`. With the current patch applied, the workqueue can be migrated to another unloaded CPU in the same node, and, keeping everything else equal, the maximum delay I could see was `6us`.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57953", "url": "https://ubuntu.com/security/CVE-2024-57953", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtc: tps6594: Fix integer overflow on 32bit systems The problem is this multiply in tps6594_rtc_set_offset() \ttmp = offset * TICKS_PER_HOUR; The \"tmp\" variable is an s64 but \"offset\" is a long in the (-277774)-277774 range. On 32bit systems a long can hold numbers up to approximately two billion. The number of TICKS_PER_HOUR is really large, (32768 * 3600) or roughly a hundred million. When you start multiplying by a hundred million it doesn't take long to overflow the two billion mark. Probably the safest way to fix this is to change the type of TICKS_PER_HOUR to long long because it's such a large number.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57982", "url": "https://ubuntu.com/security/CVE-2024-57982", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21721", "url": "https://ubuntu.com/security/CVE-2025-21721", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: handle errors that nilfs_prepare_chunk() may return Patch series \"nilfs2: fix issues with rename operations\". This series fixes BUG_ON check failures reported by syzbot around rename operations, and a minor behavioral issue where the mtime of a child directory changes when it is renamed instead of moved. This patch (of 2): The directory manipulation routines nilfs_set_link() and nilfs_delete_entry() rewrite the directory entry in the folio/page previously read by nilfs_find_entry(), so error handling is omitted on the assumption that nilfs_prepare_chunk(), which prepares the buffer for rewriting, will always succeed for these. And if an error is returned, it triggers the legacy BUG_ON() checks in each routine. This assumption is wrong, as proven by syzbot: the buffer layer called by nilfs_prepare_chunk() may call nilfs_get_block() if necessary, which may fail due to metadata corruption or other reasons. This has been there all along, but improved sanity checks and error handling may have made it more reproducible in fuzzing tests. Fix this issue by adding missing error paths in nilfs_set_link(), nilfs_delete_entry(), and their caller nilfs_rename().", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21722", "url": "https://ubuntu.com/security/CVE-2025-21722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: do not force clear folio if buffer is referenced Patch series \"nilfs2: protect busy buffer heads from being force-cleared\". This series fixes the buffer head state inconsistency issues reported by syzbot that occurs when the filesystem is corrupted and falls back to read-only, and the associated buffer head use-after-free issue. This patch (of 2): Syzbot has reported that after nilfs2 detects filesystem corruption and falls back to read-only, inconsistencies in the buffer state may occur. One of the inconsistencies is that when nilfs2 calls mark_buffer_dirty() to set a data or metadata buffer as dirty, but it detects that the buffer is not in the uptodate state: WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520 fs/buffer.c:1177 ... Call Trace: nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598 nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73 nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344 nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdirat fs/namei.c:4295 [inline] __se_sys_mkdirat fs/namei.c:4293 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The other is when nilfs_btree_propagate(), which propagates the dirty state to the ancestor nodes of a b-tree that point to a dirty buffer, detects that the origin buffer is not dirty, even though it should be: WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089 nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089 ... Call Trace: nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345 nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587 nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006 nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline] nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115 nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline] nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Both of these issues are caused by the callbacks that handle the page/folio write requests, forcibly clear various states, including the working state of the buffers they hold, at unexpected times when they detect read-only fallback. Fix these issues by checking if the buffer is referenced before clearing the page/folio state, and skipping the clear if it is.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21798", "url": "https://ubuntu.com/security/CVE-2025-21798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firewire: test: Fix potential null dereference in firewire kunit test kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add a NULL check for test_state.", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21723", "url": "https://ubuntu.com/security/CVE-2025-21723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix possible crash when setting up bsg fails If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition \"if(!mrioc->bsg_queue)\" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash: BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace: mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr] mpi3mr_remove+0x6f/0x340 [mpi3mr] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19d/0x220 unbind_store+0xa4/0xb0 kernfs_fop_write_iter+0x11f/0x200 vfs_write+0x1fc/0x3e0 ksys_write+0x67/0xe0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21724", "url": "https://ubuntu.com/security/CVE-2025-21724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant \"1\" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant \"1\" defaults to a 32-bit \"int\", and when \"pgshift\" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to \"1UL\", promoting it to an unsigned long type to match the operand's type.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21825", "url": "https://ubuntu.com/security/CVE-2025-21825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT During the update procedure, when overwrite element in a pre-allocated htab, the freeing of old_element is protected by the bucket lock. The reason why the bucket lock is necessary is that the old_element has already been stashed in htab->extra_elems after alloc_htab_elem() returns. If freeing the old_element after the bucket lock is unlocked, the stashed element may be reused by concurrent update procedure and the freeing of old_element will run concurrently with the reuse of the old_element. However, the invocation of check_and_free_fields() may acquire a spin-lock which violates the lockdep rule because its caller has already held a raw-spin-lock (bucket lock). The following warning will be reported when such race happens: BUG: scheduling while atomic: test_progs/676/0x00000003 3 locks held by test_progs/676: #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830 #1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500 #2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0 Modules linked in: bpf_testmod(O) Preemption disabled at: [] htab_map_update_elem+0x293/0x1500 CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11 Tainted: [W]=WARN, [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)... Call Trace: dump_stack_lvl+0x57/0x70 dump_stack+0x10/0x20 __schedule_bug+0x120/0x170 __schedule+0x300c/0x4800 schedule_rtlock+0x37/0x60 rtlock_slowlock_locked+0x6d9/0x54c0 rt_spin_lock+0x168/0x230 hrtimer_cancel_wait_running+0xe9/0x1b0 hrtimer_cancel+0x24/0x30 bpf_timer_delete_work+0x1d/0x40 bpf_timer_cancel_and_free+0x5e/0x80 bpf_obj_free_fields+0x262/0x4a0 check_and_free_fields+0x1d0/0x280 htab_map_update_elem+0x7fc/0x1500 bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43 bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e bpf_prog_test_run_syscall+0x322/0x830 __sys_bpf+0x135d/0x3ca0 __x64_sys_bpf+0x75/0xb0 x64_sys_call+0x1b5/0xa10 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... It seems feasible to break the reuse and refill of per-cpu extra_elems into two independent parts: reuse the per-cpu extra_elems with bucket lock being held and refill the old_element as per-cpu extra_elems after the bucket lock is unlocked. However, it will make the concurrent overwrite procedures on the same CPU return unexpected -E2BIG error when the map is full. Therefore, the patch fixes the lock problem by breaking the cancelling of bpf_timer into two steps for PREEMPT_RT: 1) use hrtimer_try_to_cancel() and check its return value 2) if the timer is running, use hrtimer_cancel() through a kworker to cancel it again Considering that the current implementation of hrtimer_cancel() will try to acquire a being held softirq_expiry_lock when the current timer is running, these steps above are reasonable. However, it also has downside. When the timer is running, the cancelling of the timer is delayed when releasing the last map uref. The delay is also fixable (e.g., break the cancelling of bpf timer into two parts: one part in locked scope, another one in unlocked scope), it can be revised later if necessary. It is a bit hard to decide the right fix tag. One reason is that the problem depends on PREEMPT_RT which is enabled in v6.12. Considering the softirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced in v5.15, the bpf_timer commit is used in the fixes tag and an extra depends-on tag is added to state the dependency on PREEMPT_RT. Depends-on: v6.12+ with PREEMPT_RT enabled", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57990", "url": "https://ubuntu.com/security/CVE-2024-57990", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: fix off by one in mt7925_load_clc() This comparison should be >= instead of > to prevent an out of bounds read and write.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57974", "url": "https://ubuntu.com/security/CVE-2024-57974", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving datagrams, as a result of connect(), there is a period during which a lookup operation might fail to find it, after the address is changed but before the secondary hash (port and address) and the four-tuple hash (local and remote ports and addresses) are updated. Secondary hash chains were introduced by commit 30fff9231fad (\"udp: bind() optimisation\") and, as a result, a rehash operation became needed to make a bound socket reachable again after a connect(). This operation was introduced by commit 719f835853a9 (\"udp: add rehash on connect()\") which isn't however a complete fix: the socket will be found once the rehashing completes, but not while it's pending. This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a client sending datagrams to it. After the server receives the first datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to the address of the sender, in order to set up a directed flow. Now, if the client, running on a different CPU thread, happens to send a (subsequent) datagram while the server's socket changes its address, but is not rehashed yet, this will result in a failed lookup and a port unreachable error delivered to the client, as apparent from the following reproducer: LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4)) dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in while :; do \ttaskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & \tsleep 0.1 || sleep 1 \ttaskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null \twait done where the client will eventually get ECONNREFUSED on a write() (typically the second or third one of a given iteration): 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused This issue was first observed as a seldom failure in Podman's tests checking UDP functionality while using pasta(1) to connect the container's network namespace, which leads us to a reproducer with the lookup error resulting in an ICMP packet on a tap device: LOCAL_ADDR=\"$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == \"global\").local')\" while :; do \t./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & \tsleep 0.2 || sleep 1 \tsocat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null \twait \tcmp tmp.in tmp.out done Once this fails: tmp.in tmp.out differ: char 8193, line 29 we can finally have a look at what's going on: $ tshark -r pasta.pcap 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable) 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0 On the third datagram received, the network namespace of the container initiates an ARP lookup to deliver the ICMP message. In another variant of this reproducer, starting the client with: strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57994", "url": "https://ubuntu.com/security/CVE-2024-57994", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page() to increase test coverage. syzbot found a splat caused by hard irq blocking in ptr_ring_resize_multiple() [1] As current users of ptr_ring_resize_multiple() do not require hard irqs being masked, replace it to only block BH. Rename helpers to better reflect they are safe against BH only. - ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh() - skb_array_resize_multiple() to skb_array_resize_multiple_bh() [1] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Modules linked in: CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline] RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85 RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083 RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843 RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040 R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline] ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline] tun_queue_resize drivers/net/tun.c:3694 [inline] tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024 do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923 rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57999", "url": "https://ubuntu.com/security/CVE-2024-57999", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW Power Hypervisor can possibily allocate MMIO window intersecting with Dynamic DMA Window (DDW) range, which is over 32-bit addressing. These MMIO pages needs to be marked as reserved so that IOMMU doesn't map DMA buffers in this range. The current code is not marking these pages correctly which is resulting in LPAR to OOPS while booting. The stack is at below BUG: Unable to handle kernel data access on read at 0xc00800005cd40000 Faulting instruction address: 0xc00000000005cdac Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod Supported: Yes, External CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries Workqueue: events work_for_cpu_fn NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000 REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default) MSR: 800000000280b033 CR: 24228448 XER: 00000001 CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800 GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000 GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000 GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800 GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8 GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800 NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100 LR [c00000000005e830] iommu_init_table+0x80/0x1e0 Call Trace: [c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable) [c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40 [c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230 [c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90 [c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80 [c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net] [c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110 [c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60 [c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620 [c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620 [c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150 [c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18 There are 2 issues in the code 1. The index is \"int\" while the address is \"unsigned long\". This results in negative value when setting the bitmap. 2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit address). MMIO address needs to be page shifted as well.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58054", "url": "https://ubuntu.com/security/CVE-2024-58054", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: media: max96712: fix kernel oops when removing module The following kernel oops is thrown when trying to remove the max96712 module: Unable to handle kernel paging request at virtual address 00007375746174db Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000 [00007375746174db] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2 imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse [last unloaded: imx8_isi] CPU: 0 UID: 0 PID: 754 Comm: rmmod \t Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17 Tainted: [C]=CRAP Hardware name: NXP i.MX95 19X19 board (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : led_put+0x1c/0x40 lr : v4l2_subdev_put_privacy_led+0x48/0x58 sp : ffff80008699bbb0 x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8 x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000 x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1 x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473 Call trace: led_put+0x1c/0x40 v4l2_subdev_put_privacy_led+0x48/0x58 v4l2_async_unregister_subdev+0x2c/0x1a4 max96712_remove+0x1c/0x38 [max96712] i2c_device_remove+0x2c/0x9c device_remove+0x4c/0x80 device_release_driver_internal+0x1cc/0x228 driver_detach+0x4c/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 i2c_del_driver+0x54/0x64 max96712_i2c_driver_exit+0x18/0x1d0 [max96712] __arm64_sys_delete_module+0x1a4/0x290 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xd8 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400) ---[ end trace 0000000000000000 ]--- This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata() is called again and the data is overwritten to point to sd, instead of priv. So, in remove(), the wrong pointer is passed to v4l2_async_unregister_subdev(), leading to a crash.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58055", "url": "https://ubuntu.com/security/CVE-2024-58055", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Don't free command immediately Don't prematurely free the command. Wait for the status completion of the sense status. It can be freed then. Otherwise we will double-free the command.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57979", "url": "https://ubuntu.com/security/CVE-2024-57979", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 (\"pps: Fix a use-after free bug when unregistering a source.\"), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57980", "url": "https://ubuntu.com/security/CVE-2024-57980", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Reviewed by: Ricardo Ribalda ", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58056", "url": "https://ubuntu.com/security/CVE-2024-58056", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Fix ida_free call while not allocated In the rproc_alloc() function, on error, put_device(&rproc->dev) is called, leading to the call of the rproc_type_release() function. An error can occurs before ida_alloc is called. In such case in rproc_type_release(), the condition (rproc->index >= 0) is true as rproc->index has been initialized to 0. ida_free() is called reporting a warning: [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 [ 4.188854] ida_free called for id=0 which is not allocated. [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 [ 4.231481] Hardware name: STM32 (Device Tree Support) [ 4.236627] Workqueue: events_unbound deferred_probe_work_func [ 4.242504] Call trace: [ 4.242522] unwind_backtrace from show_stack+0x10/0x14 [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 [ 4.270565] ida_free from rproc_type_release+0x38/0x60 [ 4.275832] rproc_type_release from device_release+0x30/0xa0 [ 4.281601] device_release from kobject_put+0xc4/0x294 [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is properly set.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2025-21705", "url": "https://ubuntu.com/security/CVE-2025-21705", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21707", "url": "https://ubuntu.com/security/CVE-2025-21707", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mptcp: consolidate suboption status MPTCP maintains the received sub-options status is the bitmask carrying the received suboptions and in several bitfields carrying per suboption additional info. Zeroing the bitmask before parsing is not enough to ensure a consistent status, and the MPTCP code has to additionally clear some bitfiled depending on the actually parsed suboption. The above schema is fragile, and syzbot managed to trigger a path where a relevant bitfield is not cleared/initialized: BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline] BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline] BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline] BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 __mptcp_expand_seq net/mptcp/options.c:1030 [inline] mptcp_expand_seq net/mptcp/protocol.h:864 [inline] ack_update_msk net/mptcp/options.c:1060 [inline] mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233 tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264 tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916 tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core net/core/dev.c:5704 [inline] __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817 process_backlog+0x4ad/0xa50 net/core/dev.c:6149 __napi_poll+0xe7/0x980 net/core/dev.c:6902 napi_poll net/core/dev.c:6971 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236 __ip_finish_output+0x287/0x810 ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536 ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550 __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468 tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline] tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829 __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012 tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618 __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130 __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496 mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550 mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline] mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline] mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57981", "url": "https://ubuntu.com/security/CVE-2024-57981", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix NULL pointer dereference on certain command aborts If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21708", "url": "https://ubuntu.com/security/CVE-2025-21708", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: enable basic endpoint checking Syzkaller reports [1] encountering a common issue of utilizing a wrong usb endpoint type during URB submitting stage. This, in turn, triggers a warning shown below. For now, enable simple endpoint checking (specifically, bulk and interrupt eps, testing control one is not essential) to mitigate the issue with a view to do other related cosmetic changes later, if they are necessary. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv> Modules linked in: CPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Code: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8> RSP: 0018:ffffc9000441f740 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9 RDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 R13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c FS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733 __dev_open+0x2d4/0x4e0 net/core/dev.c:1474 __dev_change_flags+0x561/0x720 net/core/dev.c:8838 dev_change_flags+0x8f/0x160 net/core/dev.c:8910 devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177 inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003 sock_do_ioctl+0x116/0x280 net/socket.c:1222 sock_ioctl+0x22e/0x6c0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc04ef73d49 ... This change has not been tested on real hardware.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21826", "url": "https://ubuntu.com/security/CVE-2025-21826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject mismatching sum of field_len with set key length The field length description provides the length of each separated key field in the concatenation, each field gets rounded up to 32-bits to calculate the pipapo rule width from pipapo_init(). The set key length provides the total size of the key aligned to 32-bits. Register-based arithmetics still allows for combining mismatching set key length and field length description, eg. set key length 10 and field description [ 5, 4 ] leading to pipapo width of 12.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2025-21808", "url": "https://ubuntu.com/security/CVE-2025-21808", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadata. This means they can't work in generic XDP mode. However, there is no check to disallow such programs from being attached in generic mode, in which case the metadata kfuncs will be called in an invalid context, leading to crashes. Fix this by adding a check to disallow attaching device-bound programs in generic mode.", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21710", "url": "https://ubuntu.com/security/CVE-2025-21710", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: correct handling of extreme memory squeeze Testing with iperf3 using the \"pasta\" protocol splicer has revealed a problem in the way tcp handles window advertising in extreme memory squeeze situations. Under memory pressure, a socket endpoint may temporarily advertise a zero-sized window, but this is not stored as part of the socket data. The reasoning behind this is that it is considered a temporary setting which shouldn't influence any further calculations. However, if we happen to stall at an unfortunate value of the current window size, the algorithm selecting a new value will consistently fail to advertise a non-zero window once we have freed up enough memory. This means that this side's notion of the current window size is different from the one last advertised to the peer, causing the latter to not send any data to resolve the sitution. The problem occurs on the iperf3 server side, and the socket in question is a completely regular socket with the default settings for the fedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket. The following excerpt of a logging session, with own comments added, shows more in detail what is happening: // tcp_v4_rcv(->) // tcp_rcv_established(->) [5201<->39222]: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ==== [5201<->39222]: tcp_data_queue(->) [5201<->39222]: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 259909392->260034360 (124968), unread 5565800, qlen 85, ofoq 0] [OFO queue: gap: 65480, len: 0] [5201<->39222]: tcp_data_queue(<-) [5201<->39222]: __tcp_transmit_skb(->) [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] [5201<->39222]: tcp_select_window(->) [5201<->39222]: (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_NOMEM) ? --> TRUE [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] returning 0 [5201<->39222]: tcp_select_window(<-) [5201<->39222]: ADVERTISING WIN 0, ACK_SEQ: 265600160 [5201<->39222]: [__tcp_transmit_skb(<-) [5201<->39222]: tcp_rcv_established(<-) [5201<->39222]: tcp_v4_rcv(<-) // Receive queue is at 85 buffers and we are out of memory. // We drop the incoming buffer, although it is in sequence, and decide // to send an advertisement with a window of zero. // We don't update tp->rcv_wnd and tp->rcv_wup accordingly, which means // we unconditionally shrink the window. [5201<->39222]: tcp_recvmsg_locked(->) [5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 [5201<->39222]: [new_win = 0, win_now = 131184, 2 * win_now = 262368] [5201<->39222]: [new_win >= (2 * win_now) ? --> time_to_ack = 0] [5201<->39222]: NOT calling tcp_send_ack() [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] [5201<->39222]: __tcp_cleanup_rbuf(<-) [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 260040464->260040464 (0), unread 5559696, qlen 85, ofoq 0] returning 6104 bytes [5201<->39222]: tcp_recvmsg_locked(<-) // After each read, the algorithm for calculating the new receive // window in __tcp_cleanup_rbuf() finds it is too small to advertise // or to update tp->rcv_wnd. // Meanwhile, the peer thinks the window is zero, and will not send // any more data to trigger an update from the interrupt mode side. [5201<->39222]: tcp_recvmsg_locked(->) [5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 [5201<->39222]: [new_win = 262144, win_now = 131184, 2 * win_n ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21715", "url": "https://ubuntu.com/security/CVE-2025-21715", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 (\"net: qcom/emac: fix UAF in emac_remove\"). This bug is detected by our static analysis tool.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21716", "url": "https://ubuntu.com/security/CVE-2025-21716", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix uninit-value in vxlan_vnifilter_dump() KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access. Fix this by returning an error in such situations. [1] BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786 netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317 __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432 netlink_dump_start include/linux/netlink.h:340 [inline] rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline] rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882 netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4110 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205 kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196 netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21718", "url": "https://ubuntu.com/security/CVE-2025-21718", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 ", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21719", "url": "https://ubuntu.com/security/CVE-2025-21719", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to \"struct sk_buff_head unresolved\", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21802", "url": "https://ubuntu.com/security/CVE-2025-21802", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. To fixes it, introduce a new mutex to protect the unload process.", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2024-58058", "url": "https://ubuntu.com/security/CVE-2024-58058", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ubifs: skip dumping tnc tree when zroot is null Clearing slab cache will free all znode in memory and make c->zroot.znode = NULL, then dumping tnc tree will access c->zroot.znode which cause null pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58069", "url": "https://ubuntu.com/security/CVE-2024-58069", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read The nvmem interface supports variable buffer sizes, while the regmap interface operates with fixed-size storage. If an nvmem client uses a buffer size less than 4 bytes, regmap_read will write out of bounds as it expects the buffer to point at an unsigned int. Fix this by using an intermediary unsigned int to hold the value.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2025-21720", "url": "https://ubuntu.com/security/CVE-2025-21720", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: delete intermediate secpath entry in packet offload mode Packets handled by hardware have added secpath as a way to inform XFRM core code that this path was already handled. That secpath is not needed at all after policy is checked and it is removed later in the stack. However, in the case of IP forwarding is enabled (/proc/sys/net/ipv4/ip_forward), that secpath is not removed and packets which already were handled are reentered to the driver TX path with xfrm_offload set. The following kernel panic is observed in mlx5 in such case: mlx5_core 0000:04:00.0 enp4s0f0np0: Link up mlx5_core 0000:04:00.1 enp4s0f1np1: Link up Initializing XFRM netlink socket IPsec XFRM device driver BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 0010 [#1] PREEMPT SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc1-alex #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffb87380003800 EFLAGS: 00010206 RAX: ffff8df004e02600 RBX: ffffb873800038d8 RCX: 00000000ffff98cf RDX: ffff8df00733e108 RSI: ffff8df00521fb80 RDI: ffff8df001661f00 RBP: ffffb87380003850 R08: ffff8df013980000 R09: 0000000000000010 R10: 0000000000000002 R11: 0000000000000002 R12: ffff8df001661f00 R13: ffff8df00521fb80 R14: ffff8df00733e108 R15: ffff8df011faf04e FS: 0000000000000000(0000) GS:ffff8df46b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000106384000 CR4: 0000000000350ef0 Call Trace: ? show_regs+0x63/0x70 ? __die_body+0x20/0x60 ? __die+0x2b/0x40 ? page_fault_oops+0x15c/0x550 ? do_user_addr_fault+0x3ed/0x870 ? exc_page_fault+0x7f/0x190 ? asm_exc_page_fault+0x27/0x30 mlx5e_ipsec_handle_tx_skb+0xe7/0x2f0 [mlx5_core] mlx5e_xmit+0x58e/0x1980 [mlx5_core] ? __fib_lookup+0x6a/0xb0 dev_hard_start_xmit+0x82/0x1d0 sch_direct_xmit+0xfe/0x390 __dev_queue_xmit+0x6d8/0xee0 ? __fib_lookup+0x6a/0xb0 ? internal_add_timer+0x48/0x70 ? mod_timer+0xe2/0x2b0 neigh_resolve_output+0x115/0x1b0 __neigh_update+0x26a/0xc50 neigh_update+0x14/0x20 arp_process+0x2cb/0x8e0 ? __napi_build_skb+0x5e/0x70 arp_rcv+0x11e/0x1c0 ? dev_gro_receive+0x574/0x820 __netif_receive_skb_list_core+0x1cf/0x1f0 netif_receive_skb_list_internal+0x183/0x2a0 napi_complete_done+0x76/0x1c0 mlx5e_napi_poll+0x234/0x7a0 [mlx5_core] __napi_poll+0x2d/0x1f0 net_rx_action+0x1a6/0x370 ? atomic_notifier_call_chain+0x3b/0x50 ? irq_int_handler+0x15/0x20 [mlx5_core] handle_softirqs+0xb9/0x2f0 ? handle_irq_event+0x44/0x60 irq_exit_rcu+0xdb/0x100 common_interrupt+0x98/0xc0 asm_common_interrupt+0x27/0x40 RIP: 0010:pv_native_safe_halt+0xb/0x10 Code: 09 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 22 0f 1f 84 00 00 00 00 00 90 eb 07 0f 00 2d 7f e9 36 00 fb 40 00 83 ff 07 77 21 89 ff ff 24 fd 88 3d a1 bd 0f 21 f8 RSP: 0018:ffffffffbe603de8 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000f92f46680 RDX: 0000000000000037 RSI: 00000000ffffffff RDI: 00000000000518d4 RBP: ffffffffbe603df0 R08: 000000cd42e4dffb R09: ffffffffbe603d70 R10: 0000004d80d62680 R11: 0000000000000001 R12: ffffffffbe60bf40 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffbe60aff8 ? default_idle+0x9/0x20 arch_cpu_idle+0x9/0x10 default_idle_call+0x29/0xf0 do_idle+0x1f2/0x240 cpu_startup_entry+0x2c/0x30 rest_init+0xe7/0x100 start_kernel+0x76b/0xb90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xc0/0x110 ? setup_ghcb+0xe/0x130 common_startup_64+0x13e/0x141 Modules linked in: esp4_offload esp4 xfrm_interface xfrm6_tunnel tunnel4 tunnel6 xfrm_user xfrm_algo binf ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21803", "url": "https://ubuntu.com/security/CVE-2025-21803", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix warnings during S3 suspend The enable_gpe_wakeup() function calls acpi_enable_all_wakeup_gpes(), and the later one may call the preempt_schedule_common() function, resulting in a thread switch and causing the CPU to be in an interrupt enabled state after the enable_gpe_wakeup() function returns, leading to the warnings as follow. [ C0] WARNING: ... at kernel/time/timekeeping.c:845 ktime_get+0xbc/0xc8 [ C0] ... [ C0] Call Trace: [ C0] [<90000000002243b4>] show_stack+0x64/0x188 [ C0] [<900000000164673c>] dump_stack_lvl+0x60/0x88 [ C0] [<90000000002687e4>] __warn+0x8c/0x148 [ C0] [<90000000015e9978>] report_bug+0x1c0/0x2b0 [ C0] [<90000000016478e4>] do_bp+0x204/0x3b8 [ C0] [<90000000025b1924>] exception_handlers+0x1924/0x10000 [ C0] [<9000000000343bbc>] ktime_get+0xbc/0xc8 [ C0] [<9000000000354c08>] tick_sched_timer+0x30/0xb0 [ C0] [<90000000003408e0>] __hrtimer_run_queues+0x160/0x378 [ C0] [<9000000000341f14>] hrtimer_interrupt+0x144/0x388 [ C0] [<9000000000228348>] constant_timer_interrupt+0x38/0x48 [ C0] [<90000000002feba4>] __handle_irq_event_percpu+0x64/0x1e8 [ C0] [<90000000002fed48>] handle_irq_event_percpu+0x20/0x80 [ C0] [<9000000000306b9c>] handle_percpu_irq+0x5c/0x98 [ C0] [<90000000002fd4a0>] generic_handle_domain_irq+0x30/0x48 [ C0] [<9000000000d0c7b0>] handle_cpu_irq+0x70/0xa8 [ C0] [<9000000001646b30>] handle_loongarch_irq+0x30/0x48 [ C0] [<9000000001646bc8>] do_vint+0x80/0xe0 [ C0] [<90000000002aea1c>] finish_task_switch.isra.0+0x8c/0x2a8 [ C0] [<900000000164e34c>] __schedule+0x314/0xa48 [ C0] [<900000000164ead8>] schedule+0x58/0xf0 [ C0] [<9000000000294a2c>] worker_thread+0x224/0x498 [ C0] [<900000000029d2f0>] kthread+0xf8/0x108 [ C0] [<9000000000221f28>] ret_from_kernel_thread+0xc/0xa4 [ C0] [ C0] ---[ end trace 0000000000000000 ]--- The root cause is acpi_enable_all_wakeup_gpes() uses a mutex to protect acpi_hw_enable_all_wakeup_gpes(), and acpi_ut_acquire_mutex() may cause a thread switch. Since there is no longer concurrent execution during loongarch_acpi_suspend(), we can call acpi_hw_enable_all_wakeup_gpes() directly in enable_gpe_wakeup(). The solution is similar to commit 22db06337f590d01 (\"ACPI: sleep: Avoid breaking S3 wakeup due to might_sleep()\").", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21810", "url": "https://ubuntu.com/security/CVE-2025-21810", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init|next|exit)(), as explained by below typical usage: // All members of @iter are wild pointers. struct class_dev_iter iter; // class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...); // Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... }; // Also dereference these wild pointers here. class_dev_iter_exit(&iter); Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next().", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21811", "url": "https://ubuntu.com/security/CVE-2025-21811", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect access to buffers with no active references nilfs_lookup_dirty_data_buffers(), which iterates through the buffers attached to dirty data folios/pages, accesses the attached buffers without locking the folios/pages. For data cache, nilfs_clear_folio_dirty() may be called asynchronously when the file system degenerates to read only, so nilfs_lookup_dirty_data_buffers() still has the potential to cause use after free issues when buffers lose the protection of their dirty state midway due to this asynchronous clearing and are unintentionally freed by try_to_free_buffers(). Eliminate this race issue by adjusting the lock section in this function.", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21804", "url": "https://ubuntu.com/security/CVE-2025-21804", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region() macro to request a needed resource. A string variable that lives on the stack is then used to store a dynamically computed resource name, which is then passed on as one of the macro arguments. This can lead to undefined behavior. Depending on the current contents of the memory, the manifestations of errors may vary. One possible output may be as follows: $ cat /proc/iomem 30000000-37ffffff : 38000000-3fffffff : Sometimes, garbage may appear after the colon. In very rare cases, if no NULL-terminator is found in memory, the system might crash because the string iterator will overrun which can lead to access of unmapped memory above the stack. Thus, fix this by replacing outbound_name with the name of the previously requested resource. With the changes applied, the output will be as follows: $ cat /proc/iomem 30000000-37ffffff : memory2 38000000-3fffffff : memory3 [kwilczynski: commit log]", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21829", "url": "https://ubuntu.com/security/CVE-2025-21829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the warning \"__rxe_cleanup+0x12c/0x170 [rdma_rxe]\" The Call Trace is as below: \" ? show_regs.cold+0x1a/0x1f ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __warn+0x84/0xd0 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? report_bug+0x105/0x180 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __rxe_cleanup+0x124/0x170 [rdma_rxe] rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe] ib_destroy_qp_user+0x118/0x190 [ib_core] rdma_destroy_qp.cold+0x43/0x5e [rdma_cm] rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core] rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server] process_one_work+0x21d/0x3f0 worker_thread+0x4a/0x3c0 ? process_one_work+0x3f0/0x3f0 kthread+0xf0/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 \" When too many rdma resources are allocated, rxe needs more time to handle these rdma resources. Sometimes with the current timeout, rxe can not release the rdma resources correctly. Compared with other rdma drivers, a bigger timeout is used.", "cve_priority": "medium", "cve_public_date": "2025-03-06 17:15:00 UTC" }, { "cve": "CVE-2024-57984", "url": "https://ubuntu.com/security/CVE-2024-57984", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition In dw_i3c_common_probe, &master->hj_work is bound with dw_i3c_hj_work. And dw_i3c_master_irq_handler can call dw_i3c_master_irq_handle_ibis function to start the work. If we remove the module which will call dw_i3c_common_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | dw_i3c_hj_work dw_i3c_common_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in dw_i3c_common_remove.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58034", "url": "https://ubuntu.com/security/CVE-2024-58034", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() As of_find_node_by_name() release the reference of the argument device node, tegra_emc_find_node_by_ram_code() releases some device nodes while still in use, resulting in possible UAFs. According to the bindings and the in-tree DTS files, the \"emc-tables\" node is always device's child node with the property \"nvidia,use-ram-code\", and the \"lpddr2\" node is a child of the \"emc-tables\" node. Thus utilize the for_each_child_of_node() macro and of_get_child_by_name() instead of of_find_node_by_name() to simplify the code. This bug was found by an experimental verification tool that I am developing. [krzysztof: applied v1, adjust the commit msg to incorporate v2 parts]", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2024-57973", "url": "https://ubuntu.com/security/CVE-2024-57973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32bit The \"gl->tot_len\" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the \"gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)\" addition could have an integer wrapping bug. Use size_add() to prevent this.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21725", "url": "https://ubuntu.com/security/CVE-2025-21725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to unset link speed It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48 89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8 e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 <48> f7 74 24 18 48 89 c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24 RSP: 0018:ffffc90001817be0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99 RDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228 RBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac R10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200 R13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58 FS: 00007fe27119e740(0000) GS:ffff888148600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0x159/0x1b0 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? do_error_trap+0x90/0x130 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? exc_divide_error+0x39/0x50 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? asm_exc_divide_error+0x1a/0x20 ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs] ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? seq_read_iter+0x42e/0x790 seq_read_iter+0x19a/0x790 proc_reg_read_iter+0xbe/0x110 ? __pfx_proc_reg_read_iter+0x10/0x10 vfs_read+0x469/0x570 ? do_user_addr_fault+0x398/0x760 ? __pfx_vfs_read+0x10/0x10 ? find_held_lock+0x8a/0xa0 ? __pfx_lock_release+0x10/0x10 ksys_read+0xd3/0x170 ? __pfx_ksys_read+0x10/0x10 ? __rcu_read_unlock+0x50/0x270 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe271288911 Code: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911 RDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003 RBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000 Fix this by setting cifs_server_iface::speed to a sane value (1Gbps) by default when link speed is unset.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21726", "url": "https://ubuntu.com/security/CVE-2025-21726", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request\t\t\tcrypto_request\t\tcrypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } \t\t\t\tpadata_do_serial \t\t\t\t // new request added \t\t\t\t list_add // sees the new request queue_work(reorder_work) \t\t\t\t padata_reorder \t\t\t\t queue_work_on(squeue->work) ... \t\t\t\t \t\t\t\tpadata_serial_worker \t\t\t\t// completes new request, \t\t\t\t// no more outstanding \t\t\t\t// requests \t\t\t\t\t\t\tcrypto_del_alg \t\t\t\t\t\t\t // free pd invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21727", "url": "https://ubuntu.com/security/CVE-2025-21727", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker\t\t\t\tcrypto_del_alg padata_put_pd_cnt // sub refcnt \t\t\t\t\t\tpadata_free_shell \t\t\t\t\t\tpadata_put_pd(ps->pd); \t\t\t\t\t\t// pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21728", "url": "https://ubuntu.com/security/CVE-2025-21728", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58070", "url": "https://ubuntu.com/security/CVE-2024-58070", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT is enabled. [ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs [ 35.118569] preempt_count: 1, expected: 0 [ 35.118571] RCU nest depth: 1, expected: 1 [ 35.118577] INFO: lockdep is turned off. ... [ 35.118647] __might_resched+0x433/0x5b0 [ 35.118677] rt_spin_lock+0xc3/0x290 [ 35.118700] ___slab_alloc+0x72/0xc40 [ 35.118723] __kmalloc_noprof+0x13f/0x4e0 [ 35.118732] bpf_map_kzalloc+0xe5/0x220 [ 35.118740] bpf_selem_alloc+0x1d2/0x7b0 [ 35.118755] bpf_local_storage_update+0x2fa/0x8b0 [ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0 [ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66 [ 35.118795] bpf_trace_run3+0x222/0x400 [ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20 [ 35.118824] trace_inet_sock_set_state+0x112/0x130 [ 35.118830] inet_sk_state_store+0x41/0x90 [ 35.118836] tcp_set_state+0x3b3/0x640 There is no need to adjust the gfp_flags passing to the bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL. The verifier has ensured GFP_KERNEL is passed only in sleepable context. It has been an old issue since the first introduction of the bpf_local_storage ~5 years ago, so this patch targets the bpf-next. bpf_mem_alloc is needed to solve it, so the Fixes tag is set to the commit when bpf_mem_alloc was first used in the bpf_local_storage.", "cve_priority": "low", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2025-21711", "url": "https://ubuntu.com/security/CVE-2025-21711", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/rose: prevent integer overflows in rose_setsockopt() In case of possible unpredictably large arguments passed to rose_setsockopt() and multiplied by extra values on top of that, integer overflows may occur. Do the safest minimum and fix these issues by checking the contents of 'opt' and returning -EINVAL if they are too large. Also, switch to unsigned int and remove useless check for negative 'opt' in ROSE_IDLE case.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21799", "url": "https://ubuntu.com/security/CVE-2025-21799", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is valid. There is no issue at probe time but at runtime user can invoke .set_channels which results in the following call chain. am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns() At this point if am65_cpsw_nuss_init_tx_chns() fails due to k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a negative value. Then, at subsequent .set_channels with higher channel count we will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns() leading to a kernel warning. The issue is present in the original commit that introduced this driver, although there, am65_cpsw_nuss_update_tx_rx_chns() existed as am65_cpsw_nuss_update_tx_chns().", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21806", "url": "https://ubuntu.com/security/CVE-2025-21806", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \\ \treturned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \\ \tnext=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \\ \t__list_add_valid_or_report+0xf3/0x130 CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ RIP: 0010:__list_add_valid_or_report+0xf3/0x130 Call Trace: ? __warn+0xcd/0x250 ? __list_add_valid_or_report+0xf3/0x130 enqueue_to_backlog+0x923/0x1070 netif_rx_internal+0x92/0x2b0 __netif_rx+0x15/0x170 loopback_xmit+0x2ef/0x450 dev_hard_start_xmit+0x103/0x490 __dev_queue_xmit+0xeac/0x1950 ip_finish_output2+0x6cc/0x1620 ip_output+0x161/0x270 ip_push_pending_frames+0x155/0x1a0 raw_sendmsg+0xe13/0x1550 __sys_sendto+0x3bf/0x4e0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x5b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reproduction command is as follows: sysctl -w net.core.dev_weight=0 ping 127.0.0.1 This is because when the napi's weight is set to 0, process_backlog() may return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this napi to be re-polled in net_rx_action() until __do_softirq() times out. Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can be retriggered in enqueue_to_backlog(), causing this issue. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin (setting is not namespaced).", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2025-21830", "url": "https://ubuntu.com/security/CVE-2025-21830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: landlock: Handle weird files A corrupted filesystem (e.g. bcachefs) might return weird files. Instead of throwing a warning and allowing access to such file, treat them as regular files.", "cve_priority": "medium", "cve_public_date": "2025-03-06 17:15:00 UTC" }, { "cve": "CVE-2025-21828", "url": "https://ubuntu.com/security/CVE-2025-21828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't flush non-uploaded STAs If STA state is pre-moved to AUTHORIZED (such as in IBSS scenarios) and insertion fails, the station is freed. In this case, the driver never knew about the station, so trying to flush it is unexpected and may crash. Check if the sta was uploaded to the driver before and fix this.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58061", "url": "https://ubuntu.com/security/CVE-2024-58061", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: prohibit deactivating all links In the internal API this calls this is a WARN_ON, but that should remain since internally we want to know about bugs that may cause this. Prevent deactivating all links in the debugfs write directly.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57993", "url": "https://ubuntu.com/security/CVE-2024-57993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check syzbot has found a type mismatch between a USB pipe and the transfer endpoint, which is triggered by the hid-thrustmaster driver[1]. There is a number of similar, already fixed issues [2]. In this case as in others, implementing check for endpoint type fixes the issue. [1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470 [2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21812", "url": "https://ubuntu.com/security/CVE-2025-21812", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible UAF in ax25. [1] WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted ------------------------------------------------------ syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 but task is already holding lock: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_AX25){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 lock_sock_nested+0x48/0x100 net/core/sock.c:3642 lock_sock include/net/sock.h:1618 [inline] ax25_kill_by_device net/ax25/af_ax25.c:101 [inline] ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026 dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820 sock_do_ioctl+0x240/0x460 net/socket.c:1234 sock_ioctl+0x626/0x8e0 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (rtnl_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 do_sock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __do_sys_setsockopt net/socket.c:2355 [inline] __se_sys_setsockopt net/socket.c:2352 [inline] __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_AX25); lock(rtnl_mutex); lock(sk_lock-AF_AX25); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/lockin ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-02-27 20:16:00 UTC" }, { "cve": "CVE-2024-58071", "url": "https://ubuntu.com/security/CVE-2024-58071", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: team: prevent adding a device which is already a team device lower Prevent adding a device which is already a team device lower, e.g. adding veth0 if vlan1 was already added and veth0 is a lower of vlan1. This is not useful in practice and can lead to recursive locking: $ ip link add veth0 type veth peer name veth1 $ ip link set veth0 up $ ip link set veth1 up $ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1 $ ip link add team0 type team $ ip link set veth0.1 down $ ip link set veth0.1 master team0 team0: Port device veth0.1 added $ ip link set veth0 down $ ip link set veth0 master team0 ============================================ WARNING: possible recursive locking detected 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted -------------------------------------------- ip/7684 is trying to acquire lock: ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) but task is already holding lock: ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_add_slave (drivers/net/team/team_core.c:1147 drivers/net/team/team_core.c:1977) other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(team->team_lock_key); lock(team->team_lock_key); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by ip/7684: stack backtrace: CPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:122) print_deadlock_bug.cold (kernel/locking/lockdep.c:3040) __lock_acquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226) ? netlink_broadcast_filtered (net/netlink/af_netlink.c:1548) lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 2)) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? lock_acquire (kernel/locking/lockdep.c:5822) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) __mutex_lock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? fib_sync_up (net/ipv4/fib_semantics.c:2167) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) notifier_call_chain (kernel/notifier.c:85) call_netdevice_notifiers_info (net/core/dev.c:1996) __dev_notify_flags (net/core/dev.c:8993) ? __dev_change_flags (net/core/dev.c:8975) dev_change_flags (net/core/dev.c:9027) vlan_device_event (net/8021q/vlan.c:85 net/8021q/vlan.c:470) ? br_device_event (net/bridge/br.c:143) notifier_call_chain (kernel/notifier.c:85) call_netdevice_notifiers_info (net/core/dev.c:1996) dev_open (net/core/dev.c:1519 net/core/dev.c:1505) team_add_slave (drivers/net/team/team_core.c:1219 drivers/net/team/team_core.c:1977) ? __pfx_team_add_slave (drivers/net/team/team_core.c:1972) do_set_master (net/core/rtnetlink.c:2917) do_setlink.isra.0 (net/core/rtnetlink.c:3117)", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58063", "url": "https://ubuntu.com/security/CVE-2024-58063", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: fix memory leaks and invalid access at probe error path Deinitialize at reverse order when probe fails. When init_sw_vars fails, rtl_deinit_core should not be called, specially now that it destroys the rtl_wq workqueue. And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be leaked. Remove pci_set_drvdata call as it will already be cleaned up by the core driver code and could lead to memory leaks too. cf. commit 8d450935ae7f (\"wireless: rtlwifi: remove unnecessary pci_set_drvdata()\") and commit 3d86b93064c7 (\"rtlwifi: Fix PCI probe error path orphaned memory\").", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58072", "url": "https://ubuntu.com/security/CVE-2024-58072", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: remove unused check_buddy_priv Commit 2461c7d60f9f (\"rtlwifi: Update header file\") introduced a global list of private data structures. Later on, commit 26634c4b1868 (\"rtlwifi Modify existing bits to match vendor version 2013.02.07\") started adding the private data to that list at probe time and added a hook, check_buddy_priv to find the private data from a similar device. However, that function was never used. Besides, though there is a lock for that list, it is never used. And when the probe fails, the private data is never removed from the list. This would cause a second probe to access freed memory. Remove the unused hook, structures and members, which will prevent the potential race condition on the list and its corruption during a second probe when probe fails.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58053", "url": "https://ubuntu.com/security/CVE-2024-58053", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix handling of received connection abort Fix the handling of a connection abort that we've received. Though the abort is at the connection level, it needs propagating to the calls on that connection. Whilst the propagation bit is performed, the calls aren't then woken up to go and process their termination, and as no further input is forthcoming, they just hang. Also add some tracing for the logging of connection aborts.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57996", "url": "https://ubuntu.com/security/CVE-2024-57996", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-57997", "url": "https://ubuntu.com/security/CVE-2024-57997", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: wcn36xx: fix channel survey memory allocation size KASAN reported a memory allocation issue in wcn->chan_survey due to incorrect size calculation. This commit uses kcalloc to allocate memory for wcn->chan_survey, ensuring proper initialization and preventing the use of uninitialized values when there are no frames on the channel.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58051", "url": "https://ubuntu.com/security/CVE-2024-58051", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: Add check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-58068", "url": "https://ubuntu.com/security/CVE-2024-58068", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized If a driver calls dev_pm_opp_find_bw_ceil/floor() the retrieve bandwidth from the OPP table but the bandwidth table was not created because the interconnect properties were missing in the OPP consumer node, the kernel will crash with: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 ... pc : _read_bw+0x8/0x10 lr : _opp_table_find_key+0x9c/0x174 ... Call trace: _read_bw+0x8/0x10 (P) _opp_table_find_key+0x9c/0x174 (L) _find_key+0x98/0x168 dev_pm_opp_find_bw_ceil+0x50/0x88 ... In order to fix the crash, create an assert function to check if the bandwidth table was created before trying to get a bandwidth with _read_bw().", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57998", "url": "https://ubuntu.com/security/CVE-2024-57998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: OPP: add index check to assert to avoid buffer overflow in _read_freq() Pass the freq index to the assert function to make sure we do not read a freq out of the opp->rates[] table when called from the indexed variants: dev_pm_opp_find_freq_exact_indexed() or dev_pm_opp_find_freq_ceil/floor_indexed(). Add a secondary parameter to the assert function, unused for assert_single_clk() then add assert_clk_index() which will check for the clock index when called from the _indexed() find functions.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2024-58052", "url": "https://ubuntu.com/security/CVE-2024-58052", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table The function atomctrl_get_smc_sclk_range_table() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve SMU_Info table, it returns NULL which is later dereferenced. Found by Linux Verification Center (linuxtesting.org) with SVACE. In practice this should never happen as this code only gets called on polaris chips and the vbios data table will always be present on those chips.", "cve_priority": "medium", "cve_public_date": "2025-03-06 16:15:00 UTC" }, { "cve": "CVE-2024-57986", "url": "https://ubuntu.com/security/CVE-2024-57986", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections A report in 2019 by the syzbot fuzzer was found to be connected to two errors in the HID core associated with Resolution Multipliers. One of the errors was fixed by commit ea427a222d8b (\"HID: core: Fix deadloop in hid_apply_multiplier.\"), but the other has not been fixed. This error arises because hid_apply_multipler() assumes that every Resolution Multiplier control is contained in a Logical Collection, i.e., there's no way the routine can ever set multiplier_collection to NULL. This is in spite of the fact that the function starts with a big comment saying: \t * \"The Resolution Multiplier control must be contained in the same \t * Logical Collection as the control(s) to which it is to be applied. \t ... \t * If no Logical Collection is \t * defined, the Resolution Multiplier is associated with all \t * controls in the report.\" \t * HID Usage Table, v1.12, Section 4.3.1, p30 \t * \t * Thus, search from the current collection upwards until we find a \t * logical collection... The comment and the code overlook the possibility that none of the collections found may be a Logical Collection. The fix is to set the multiplier_collection pointer to NULL if the collection found isn't a Logical Collection.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-21731", "url": "https://ubuntu.com/security/CVE-2025-21731", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.", "cve_priority": "medium", "cve_public_date": "2025-02-27 02:15:00 UTC" }, { "cve": "CVE-2025-37798", "url": "https://ubuntu.com/security/CVE-2025-37798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue().", "cve_priority": "medium", "cve_public_date": "2025-05-02 15:15:00 UTC" }, { "cve": "CVE-2025-37997", "url": "https://ubuntu.com/security/CVE-2025-37997", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts.", "cve_priority": "medium", "cve_public_date": "2025-05-29 14:15:00 UTC" }, { "cve": "CVE-2025-22088", "url": "https://ubuntu.com/security/CVE-2025-22088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. Fix this issue.", "cve_priority": "high", "cve_public_date": "2025-04-16 15:16:00 UTC" }, { "cve": "CVE-2025-37890", "url": "https://ubuntu.com/security/CVE-2025-37890", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-05-16 13:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-64.67 -proposed tracker (LP: #2114668)", "", " * Unexpected system reboot at loading GUI session on some AMD platforms", " (LP: #2112462)", " - drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush", " - drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush", " - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush", " - drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush", "", " * [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove", " (LP: #2114174)", " - s390/pci: rename lock member in struct zpci_dev", " - s390/pci: introduce lock to synchronize state of zpci_dev's", " - s390/pci: remove hotplug slot when releasing the device", " - s390/pci: Remove redundant bus removal and disable from", " zpci_release_device()", " - s390/pci: Prevent self deletion in disable_slot()", " - s390/pci: Allow re-add of a reserved but not yet removed device", " - s390/pci: Serialize device addition and removal", "", " * [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove", " (LP: #2114174) // CVE-2025-37946", " - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has", " child VFs", "", " * [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove", " (LP: #2114174) // CVE-2025-37974", " - s390/pci: Fix missing check for zpci_create_device() error return", "", " * [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove", " (LP: #2114174) // CVE-2024-56699", " - s390/pci: Fix potential double remove of hotplug slot", "", " * System will restart while resuming with SATA HDD or nvme installed with", " password set (LP: #2110090)", " - PCI: Explicitly put devices into D0 when initializing", "", " * Noble update: upstream stable patchset 2025-06-12 (LP: #2114239)", " - btrfs: fix assertion failure when splitting ordered extent after", " transaction abort", " - btrfs: fix use-after-free when attempting to join an aborted transaction", " - arm64/mm: Ensure adequate HUGE_MAX_HSTATE", " - exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case", " - s390/stackleak: Use exrl instead of ex in __stackleak_poison()", " - btrfs: fix data race when accessing the inode's disk_i_size at", " btrfs_drop_extents()", " - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error", " handling", " - sched: Don't try to catch up excess steal time.", " - locking/ww_mutex/test: Use swap() macro", " - lockdep: Fix upper limit for LOCKDEP_*_BITS configs", " - x86/amd_nb: Restrict init function to AMD-based systems", " - drm/virtio: New fence for every plane update", " - drm: Add panel backlight quirks", " - drm: panel-backlight-quirks: Add Framework 13 matte panel", " - drm: panel-backlight-quirks: Add Framework 13 glossy and 2.8k panels", " - nvkm/gsp: correctly advance the read pointer of GSP message queue", " - nvkm: correctly calculate the available space of the GSP cmdq buffer", " - drm/amd/display: Populate chroma prefetch parameters, DET buffer fix", " - drm/amd/display: Overwriting dualDPP UBF values before usage", " - printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX", " - drm/connector: add mutex to protect ELD from concurrent access", " - drm/bridge: anx7625: use eld_mutex to protect access to connector->eld", " - drm/bridge: ite-it66121: use eld_mutex to protect access to", " connector->eld", " - drm/amd/display: use eld_mutex to protect access to connector->eld", " - drm/exynos: hdmi: use eld_mutex to protect access to connector->eld", " - drm/radeon: use eld_mutex to protect access to connector->eld", " - drm/sti: hdmi: use eld_mutex to protect access to connector->eld", " - drm/vc4: hdmi: use eld_mutex to protect access to connector->eld", " - drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor", " - drm/amdgpu: Don't enable sdma 4.4.5 CTXEMPTY interrupt", " - drm/amdkfd: Queue interrupt work to different CPU", " - drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT", " - drm/bridge: it6505: fix HDCP Bstatus check", " - drm/bridge: it6505: fix HDCP encryption when R0 ready", " - drm/bridge: it6505: fix HDCP CTS compare V matching", " - drm/bridge: it6505: fix HDCP V match check is not performed correctly", " - drm/bridge: it6505: fix HDCP CTS KSV list wait timer", " - safesetid: check size of policy writes", " - drm/amd/display: Increase sanitizer frame larger than limit when compile", " testing with clang", " - drm/amd/display: Limit Scaling Ratio on DCN3.01", " - wifi: rtw89: add crystal_cap check to avoid setting as overflow value", " - tun: fix group permission check", " - mmc: core: Respect quirk_max_rate for non-UHS SDIO card", " - mmc: sdhci-esdhc-imx: enable 'SDHCI_QUIRK_NO_LED' quirk for S32G", " - wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()", " - tomoyo: don't emit warning in tomoyo_write_control()", " - mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id", " - wifi: rtw88: add __packed attribute to efuse layout struct", " - clk: qcom: Make GCC_8150 depend on QCOM_GDSC", " - HID: multitouch: Add quirk for Hantick 5288 touchpad", " - HID: Wacom: Add PCI Wacom device support", " - net/mlx5: use do_aux_work for PHC overflow checks", " - wifi: brcmfmac: Check the return value of", " of_property_read_string_index()", " - wifi: iwlwifi: pcie: Add support for new device ids", " - wifi: iwlwifi: avoid memory leak", " - i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz", " - APEI: GHES: Have GHES honor the panic= setting", " - Bluetooth: btusb: Add new VID/PID 13d3/3610 for MT7922", " - Bluetooth: btusb: Add new VID/PID 13d3/3628 for MT7925", " - Bluetooth: MGMT: Fix slab-use-after-free Read in", " mgmt_remove_adv_monitor_sync", " - net: wwan: iosm: Fix hibernation by re-binding the driver around it", " - mmc: sdhci-msm: Correctly set the load for the regulator", " - octeon_ep: update tx/rx stats locally for persistence", " - tipc: re-order conditions in tipc_crypto_key_rcv()", " - selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack()", " - x86/kexec: Allocate PGD for x86_64 transition page tables separately", " - iommu/arm-smmu-qcom: add sdm670 adreno iommu compatible", " - iommu/arm-smmu-v3: Clean up more on probe failure", " - platform/x86: int3472: Check for adev == NULL", " - platform/x86: acer-wmi: Add support for Acer PH14-51", " - ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback", " - platform/x86: acer-wmi: Add support for Acer Predator PH16-72", " - ASoC: amd: Add ACPI dependency to fix build error", " - Input: allocate keycode for phone linking", " - platform/x86: acer-wmi: add support for Acer Nitro AN515-58", " - platform/x86: acer-wmi: Ignore AC events", " - xfs: report realtime block quota limits on realtime directories", " - xfs: don't over-report free space or inodes in statvfs", " - tty: xilinx_uartps: split sysrq handling", " - tty: vt: pass proper pointers from tioclinux()", " - tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN", " - tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT", " - platform/x86: serdev_helpers: Check for serial_ctrl_uid == NULL", " - nvme: handle connectivity loss in nvme_set_queue_count", " - firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry", " - gpu: drm_dp_cec: fix broken CEC adapter properties check", " - ice: put Rx buffers after being done with current frame", " - ice: gather page_count()'s of each frag right before XDP prog call", " - ice: stop storing XDP verdict within ice_rx_buf", " - nvme-fc: use ctrl state getter", " - net: bcmgenet: Correct overlaying of PHY and MAC Wake-on-LAN", " - vmxnet3: Fix tx queue race condition with XDP", " - tg3: Disable tg3 PCIe AER on system reboot", " - udp: gso: do not drop small packets when PMTU reduces", " - rxrpc: Fix the rxrpc_connection attend queue handling", " - gpio: pca953x: Improve interrupt support", " - net: atlantic: fix warning during hot unplug", " - net: rose: lock the socket in rose_bind()", " - ACPI: property: Fix return value for nval == 0 in acpi_data_prop_read()", " - tun: revert fix group permission check", " - net: sched: Fix truncation of offloaded action statistics", " - rxrpc: Fix call state set to not include the SERVER_SECURING state", " - cpufreq: s3c64xx: Fix compilation warning", " - leds: lp8860: Write full EEPROM, not only half of it", " - ALSA: hda/realtek: Enable Mute LED on HP Laptop 14s-fq1xxx", " - drm/modeset: Handle tiled displays in pan_display_atomic.", " - drm/client: Handle tiled displays better", " - smb: client: fix order of arguments of tracepoints", " - smb: client: change lease epoch type from unsigned int to __u16", " - s390/futex: Fix FUTEX_OP_ANDN implementation", " - arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented", " - m68k: vga: Fix I/O defines", " - fs/proc: do_task_stat: Fix ESP not readable during coredump", " - binfmt_flat: Fix integer overflow bug on 32 bit systems", " - accel/ivpu: Fix Qemu crash when running in passthrough", " - arm64/kvm: Configure HYP TCR.PS/DS based on host stage1", " - arm64/sme: Move storage of reg_smidr to __cpuinfo_store_cpu()", " - KVM: arm64: timer: Always evaluate the need for a soft timer", " - drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event()", " - arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma", " - remoteproc: omap: Handle ARM dma_iommu_mapping", " - KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()", " - KVM: s390: vsie: fix some corner-cases when grabbing vsie pages", " - ksmbd: fix integer overflows on 32 bit systems", " - drm/amd/display: Optimize cursor position updates", " - drm/amd/pm: Mark MM activity as unsupported", " - drm/amdkfd: only flush the validate MES contex", " - drm/i915/guc: Debug print LRC state entries only if the context is", " pinned", " - drm/i915: Fix page cleanup on DMA remap failure", " - drm/komeda: Add check for komeda_get_layer_fourcc_list()", " - drm/i915/dp: Iterate DSC BPP from high to low on all platforms", " - drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes", " - drm/amd/display: Fix seamless boot sequence", " - Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection", " - clk: sunxi-ng: a100: enable MMC clock reparenting", " - clk: mmp2: call pm_genpd_init() only after genpd.name is set", " - media: i2c: ds90ub960: Fix UB9702 refclk register access", " - clk: qcom: clk-alpha-pll: fix alpha mode configuration", " - clk: qcom: gcc-sm8550: Do not turn off PCIe GDSCs during gdsc_disable()", " - clk: qcom: gcc-sm8650: Do not turn off PCIe GDSCs during gdsc_disable()", " - clk: qcom: gcc-sm6350: Add missing parent_map for two clocks", " - clk: qcom: dispcc-sm6350: Add missing parent_map for a clock", " - clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg", " - clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate", " - clk: mediatek: mt2701-vdec: fix conversion to mtk_clk_simple_probe", " - clk: mediatek: mt2701-aud: fix conversion to mtk_clk_simple_probe", " - clk: mediatek: mt2701-bdp: add missing dummy clk", " - clk: mediatek: mt2701-img: add missing dummy clk", " - clk: mediatek: mt2701-mm: add missing dummy clk", " - blk-cgroup: Fix class @block_class's subsystem refcount leakage", " - efi: libstub: Use '-std=gnu11' to fix build with GCC 15", " - perf bench: Fix undefined behavior in cmpworker()", " - scsi: ufs: core: Fix the HIGH/LOW_TEMP Bit Definitions", " - of: Correct child specifier used as input of the 2nd nexus node", " - of: Fix of_find_node_opts_by_path() handling of alias+path+options", " - Input: bbnsm_pwrkey - add remove hook", " - HID: hid-sensor-hub: don't use stale platform-data on remove", " - ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg()", " - atomic64: Use arch_spin_locks instead of raw_spin_locks", " - wifi: rtlwifi: rtl8821ae: Fix media status report", " - wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()", " - wifi: mt76: mt7921u: Add VID/PID for TP-Link TXE50UH", " - wifi: rtw88: sdio: Fix disconnection after beacon loss", " - wifi: mt76: mt7915: add module param to select 5 GHz or 6 GHz on MT7916", " - usb: gadget: f_tcm: Translate error to sense", " - usb: gadget: f_tcm: Decrement command ref count on cleanup", " - usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint", " - usb: gadget: f_tcm: Don't prepare BOT write request twice", " - usbnet: ipheth: fix possible overflow in DPE length check", " - usbnet: ipheth: use static NDP16 location in URB", " - usbnet: ipheth: check that DPE points past NCM header", " - usbnet: ipheth: refactor NCM datagram loop", " - usbnet: ipheth: break up NCM header size computation", " - usbnet: ipheth: fix DPE OoB read", " - usbnet: ipheth: document scope of NCM implementation", " - ASoC: acp: Support microphone from Lenovo Go S", " - soc: qcom: socinfo: Avoid out of bounds read of serial number", " - serial: sh-sci: Drop __initdata macro for port_cfg", " - serial: sh-sci: Do not probe the serial port if its slot in sci_ports[]", " is in use", " - MIPS: Loongson64: remove ROM Size unit in boardinfo", " - LoongArch: Extend the maximum number of watchpoints", " - powerpc/pseries/eeh: Fix get PE state translation", " - dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit()", " - dm-crypt: track tag_offset in convert_context", " - mips/math-emu: fix emulation of the prefx instruction", " - MIPS: pci-legacy: Override pci_address_to_pio", " - block: don't revert iter for -EIOCBQUEUED", " - firmware: qcom: scm: Fix missing read barrier in qcom_scm_is_available()", " - ALSA: hda/realtek: Enable headset mic on Positivo C6400", " - ALSA: hda: Fix headset detection failure due to unstable sort", " - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model", " - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA", " - arm64: tegra: Fix Tegra234 PCIe interrupt-map", " - PCI: endpoint: Finish virtual EP removal in pci_epf_remove_vepf()", " - PCI: dwc: ep: Write BAR_MASK before iATU registers in pci_epc_set_bar()", " - PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()", " - scsi: st: Don't set pos_unknown just after device recognition", " - scsi: qla2xxx: Move FCE Trace buffer allocation to user control", " - scsi: ufs: qcom: Fix crypto key eviction", " - scsi: ufs: core: Fix use-after free in init error and remove paths", " - scsi: storvsc: Set correct data length for sending SCSI command without", " payload", " - scsi: core: Do not retry I/Os during depopulation", " - kbuild: Move -Wenum-enum-conversion to W=2", " - rust: init: use explicit ABI to clean warning in future compilers", " - x86/boot: Use '-std=gnu11' to fix build with GCC 15", " - ubi: Add a check for ubi_num", " - ARM: dts: dra7: Add bus_dma_limit for l4 cfg bus", " - ARM: dts: ti/omap: gta04: fix pm issues caused by spi module", " - arm64: dts: qcom: sm6115: Fix MPSS memory length", " - arm64: dts: qcom: sm6115: Fix CDSP memory length", " - arm64: dts: qcom: sm6115: Fix ADSP memory base and length", " - arm64: dts: qcom: sm6350: Fix ADSP memory length", " - arm64: dts: qcom: sm6350: Fix MPSS memory length", " - arm64: dts: qcom: sm6350: Fix uart1 interconnect path", " - arm64: dts: qcom: sm6375: Fix ADSP memory length", " - arm64: dts: qcom: sm6375: Fix CDSP memory base and length", " - arm64: dts: qcom: sm6375: Fix MPSS memory base and length", " - arm64: dts: qcom: sm8350: Fix ADSP memory base and length", " - arm64: dts: qcom: sm8350: Fix CDSP memory base and length", " - arm64: dts: qcom: sm8350: Fix MPSS memory length", " - arm64: dts: qcom: sm8450: Fix CDSP memory length", " - arm64: dts: qcom: sm8450: Fix MPSS memory length", " - arm64: dts: qcom: sm8550: Fix CDSP memory length", " - arm64: dts: qcom: sm8550: Fix MPSS memory length", " - arm64: dts: qcom: sm8450: add missing qcom,non-secure-domain property", " - arm64: dts: qcom: sm8450: Fix ADSP memory base and length", " - arm64: dts: qcom: sm8550: add missing qcom,non-secure-domain property", " - arm64: dts: qcom: sm8550: Add dma-coherent property", " - arm64: dts: qcom: sm8550: Fix ADSP memory base and length", " - arm64: dts: qcom: sm8650: Fix CDSP memory length", " - arm64: dts: qcom: sm8650: Fix MPSS memory length", " - arm64: dts: qcom: sm8550: correct MDSS interconnects", " - arm64: dts: qcom: sm8650: correct MDSS interconnects", " - crypto: qce - fix priority to be less than ARMv8 CE", " - arm64: tegra: Fix typo in Tegra234 dce-fabric compatible", " - arm64: tegra: Disable Tegra234 sce-fabric node", " - parisc: Temporarily disable jump label support", " - pwm: microchip-core: fix incorrect comparison with max period", " - xfs: Propagate errors from xfs_reflink_cancel_cow_range in", " xfs_dax_write_iomap_end", " - xfs: Add error handling for xfs_reflink_cancel_cow_range", " - ACPI: PRM: Remove unnecessary strict handler address checks", " - tpm: Change to kvalloc() in eventlog/acpi.c", " - rv: Reset per-task monitors also for idle tasks", " - hrtimers: Force migrate away hrtimers queued after", " CPUHP_AP_HRTIMERS_DYING", " - kfence: skip __GFP_THISNODE allocations on NUMA systems", " - media: ccs: Clean up parsed CCS static data on parse failure", " - mm/hugetlb: fix avoid_reserve to allow taking folio from subpool", " - iio: light: as73211: fix channel handling in only-color triggered buffer", " - soc: mediatek: mtk-devapc: Fix leaking IO map on error paths", " - soc: mediatek: mtk-devapc: Fix leaking IO map on driver remove", " - soc: qcom: smem_state: fix missing of_node_put in error path", " - media: mmp: Bring back registration of the device", " - media: mc: fix endpoint iteration", " - media: nuvoton: Fix an error check in npcm_video_ece_init()", " - media: imx296: Add standby delay during probe", " - media: ov5640: fix get_light_freq on auto", " - media: stm32: dcmipp: correct dma_set_mask_and_coherent mask value", " - media: ccs: Fix CCS static data parsing for large block sizes", " - media: ccs: Fix cleanup order in ccs_probe()", " - media: i2c: ds90ub9x3: Fix extra fwnode_handle_put()", " - media: i2c: ds90ub960: Fix use of non-existing registers on UB9702", " - media: i2c: ds90ub960: Fix UB9702 VC map", " - media: i2c: ds90ub960: Fix logging SP & EQ status only for UB9702", " - media: uvcvideo: Fix crash during unbind if gpio unit is in use", " - media: uvcvideo: Fix event flags in uvc_ctrl_send_events", " - media: uvcvideo: Support partial control reads", " - media: uvcvideo: Remove redundant NULL assignment", " - media: uvcvideo: Refactor iterators", " - media: uvcvideo: Only save async fh if success", " - media: uvcvideo: Remove dangling pointers", " - mm: kmemleak: fix upper boundary check for physical address objects", " - mm/compaction: fix UBSAN shift-out-of-bounds warning", " - ata: libata-sff: Ensure that we cannot write outside the allocated", " buffer", " - crypto: qce - fix goto jump in error path", " - crypto: qce - unregister previously registered algos in error path", " - nvmem: qcom-spmi-sdam: Set size in struct nvmem_config", " - nvmem: core: improve range check for nvmem_cell_write()", " - nvmem: imx-ocotp-ele: simplify read beyond device check", " - nvmem: imx-ocotp-ele: fix MAC address byte order", " - nvmem: imx-ocotp-ele: fix reading from non zero offset", " - nvmem: imx-ocotp-ele: set word length to 1", " - io_uring: fix multishots with selected buffers", " - io_uring/net: don't retry connect operation on EPOLLERR", " - selftests: mptcp: connect: -f: no reconnect", " - pnfs/flexfiles: retry getting layout segment for reads", " - ocfs2: fix incorrect CPU endianness conversion causing mount failure", " - ocfs2: handle a symlink read error correctly", " - nilfs2: fix possible int overflows in nilfs_fiemap()", " - nfs: Make NFS_FSCACHE select NETFS_SUPPORT instead of depending on it", " - NFSD: Encode COMPOUND operation status on page boundaries", " - mailbox: tegra-hsp: Clear mailbox before using message", " - NFC: nci: Add bounds checking in nci_hci_create_pipe()", " - irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured so", " - mtd: onenand: Fix uninitialized retlen in do_otp_read()", " - misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors", " - char: misc: deallocate static minor in error path", " - misc: fastrpc: Deregister device nodes properly in error scenarios", " - misc: fastrpc: Fix registered buffer page address", " - misc: fastrpc: Fix copy buffer page size", " - net/ncsi: wait for the last response to Deselect Package before", " configuring channel", " - net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset", " - maple_tree: simplify split calculation", " - scripts/gdb: fix aarch64 userspace detection in get_current_task", " - tracing/osnoise: Fix resetting of tracepoints", " - rtla/osnoise: Distinguish missing workload option", " - rtla: Add trace_instance_stop", " - rtla/timerlat_hist: Stop timerlat tracer on signal", " - rtla/timerlat_top: Stop timerlat tracer on signal", " - pinctrl: samsung: fix fwnode refcount cleanup if", " platform_get_irq_optional() fails", " - ptp: Ensure info->enable callback is always set", " - RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error", " - rtc: zynqmp: Fix optional clock name property", " - MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static", " - xfs: avoid nested calls to __xfs_trans_commit", " - xfs: don't lose solo superblock counter update transactions", " - spi: atmel-quadspi: Create `atmel_qspi_ops` to support newer SoC", " families", " - spi: atmel-qspi: Memory barriers after memory-mapped I/O", " - btrfs: avoid monopolizing a core when activating a swap file", " - mptcp: prevent excessive coalescing on receive", " - Revert \"drm/amd/display: Fix green screen issue after suspend\"", " - statmount: let unset strings be empty", " - arm64: dts: rockchip: add reset-names for combphy on rk3568", " - ocfs2: check dir i_size in ocfs2_find_entry", " - Upstream stable to v6.6.77, v6.12.14", "", " * kvmppc_set_passthru_irq_hv: Could not assign IRQ map traces are seen when", " pci device is attached to kvm guest when \"xive=off\" is set (LP: #2109951)", " - KVM: PPC: Book3S HV: Fix IRQ map warnings with XICS on pSeries KVM Guest", "", " * Latitude 5450 is experiencing packet loss on Ethernet in Ubuntu 22.04", " (LP: #2106558)", " - e1000e: change k1 configuration on MTP and later platforms", "", " * cpufreq amd-pstate: cpuinfo_max_freq reports incorrect value", " (LP: #2109609)", " - SAUCE: Revert \"Revert \"cpufreq: amd-pstate: Fix the inconsistency in max", " frequency units\"\"", "", " * Backport pci=config_acs parameter with fix commit (LP: #2100340)", " - PCI: Extend ACS configurability", " - PCI: Fix pci_enable_acs() support for the ACS quirks", " - PCI/ACS: Fix 'pci=config_acs=' parameter", "", " * [UBUNTU 24.04] s390/pci: Fix zpci_bus_is_isolated_vf() for non-VF", " (LP: #2111599)", " - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs", "", " * nvme/tcp hangs IO on arm (LP: #2106381)", " - nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch", "", " * CVE-2025-37750", " - smb: client: fix UAF in decryption with multichannel", "", " * CVE-2025-40364", " - io_uring: fix io_req_prep_async with provided buffers", "", " * CVE-2024-49887", " - f2fs: fix to handle segment allocation failure correctly", " - f2fs: fix to don't panic system for no free segment fault injection", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953)", " - powerpc/book3s64/hugetlb: Fix disabling hugetlb when fadump is active", " - dlm: fix srcu_read_lock() return type to int", " - afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY", " - afs: Fix directory format encoding struct", " - afs: Fix cleanup of immediately failed async calls", " - fs: fix proc_handler for sysctl_nr_open", " - block: retry call probe after request_module in blk_request_module", " - pstore/blk: trivial typo fixes", " - nvme: Add error check for xa_store in nvme_get_effects_log", " - selftests/powerpc: Fix argument order to timer_sub()", " - nvme: Add error path for xa_store in nvme_init_effects", " - partitions: ldm: remove the initial kernel-doc notation", " - select: Fix unbalanced user_access_end()", " - nvme: fix bogus kzalloc() return check in nvme_init_effects_log()", " - afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call", " - perf/core: Save raw sample data conditionally based on sample type", " - sched/fair: Fix value reported by hot tasks pulled in /proc/schedstat", " - x86/cpu: Enable SD_ASYM_PACKING for PKG domain on AMD", " - x86/topology: Use x86_sched_itmt_flags for PKG domain unconditionally", " - drm/msm/dp: set safe_to_exit_level before printing it", " - drm/etnaviv: Fix page property being used for non writecombine buffers", " - drm/amd/pm: Fix an error handling path in", " vega10_enable_se_edc_force_stall_config()", " - drm/rockchip: vop2: Fix cluster windows alpha ctrl regsiters offset", " - drm/rockchip: vop2: Fix the mixer alpha setup for layer 0", " - drm/rockchip: vop2: Fix the windows switch between different layers", " - drm/rockchip: vop2: Check linear format for Cluster windows on rk3566/8", " - drm/rockchip: vop2: include rockchip_drm_drv.h", " - drm/msm/dpu: link DSPP_2/_3 blocks on SM8150", " - drm/msm/dpu: link DSPP_2/_3 blocks on SC8180X", " - drm/msm/dpu: link DSPP_2/_3 blocks on SM8250", " - drm/msm/dpu: link DSPP_2/_3 blocks on SM8350", " - drm/msm/dpu: link DSPP_2/_3 blocks on SM8550", " - drm/msm: Check return value of of_dma_configure()", " - drm/bridge: it6505: Change definition of AUX_FIFO_MAX_SIZE", " - drm/amdgpu: tear down ttm range manager for doorbell in", " amdgpu_ttm_fini()", " - genirq: Make handle_enforce_irqctx() unconditionally available", " - wifi: ath11k: Fix unexpected return buffer manager error for", " WCN6750/WCN6855", " - wifi: rtlwifi: do not complete firmware loading needlessly", " - wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last", " step", " - wifi: rtlwifi: wait for firmware loading before releasing memory", " - wifi: rtlwifi: fix init_sw_vars leak when probe fails", " - wifi: rtlwifi: usb: fix workqueue leak when probe fails", " - net_sched: sch_sfq: annotate data-races around q->perturb_period", " - net_sched: sch_sfq: handle bigger packets", " - spi: zynq-qspi: Add check for clk_enable()", " - dt-bindings: mmc: controller: clarify the address-cells description", " - of: remove internal arguments from of_property_for_each_u32()", " - clk: fix an OF node reference leak in of_clk_get_parent_name()", " - dt-bindings: leds: class-multicolor: Fix path to color definitions", " - wifi: rtlwifi: destroy workqueue at rtl_deinit_core", " - wifi: rtlwifi: pci: wait for firmware loading before releasing memory", " - HID: multitouch: fix support for Goodix PID 0x01e9", " - regulator: dt-bindings: mt6315: Drop regulator-compatible property", " - wifi: brcmfmac: add missing header include for brcmf_dbg", " - ACPI: fan: cleanup resources in the error path of .probe()", " - cpupower: fix TSC MHz calculation", " - dt-bindings: mfd: bd71815: Fix rsense and typos", " - leds: netxbig: Fix an OF node reference leak in", " netxbig_leds_get_of_pdata()", " - inetpeer: remove create argument of inet_getpeer_v[46]()", " - inetpeer: remove create argument of inet_getpeer()", " - inetpeer: update inetpeer timestamp in inet_getpeer()", " - inetpeer: do not get a refcount in inet_getpeer()", " - pwm: stm32-lp: Add check for clk_enable()", " - cpufreq: schedutil: Fix superfluous updates caused by need_freq_update", " - gpio: pca953x: log an error when failing to get the reset GPIO", " - cpufreq: qcom: Fix qcom_cpufreq_hw_recalc_rate() to query LUT if LMh IRQ", " is not available", " - cpufreq: qcom: Implement clk_ops::determine_rate() for qcom_cpufreq*", " clocks", " - clk: imx8mp: Fix clkout1/2 support", " - dt-bindings: clock: sunxi: Export PLL_VIDEO_2X and PLL_MIPI", " - clk: sunxi-ng: a64: drop redundant CLK_PLL_VIDEO0_2X and CLK_PLL_MIPI", " - clk: sunxi-ng: a64: stop force-selecting PLL-MIPI as TCON0 parent", " - regulator: of: Implement the unwind path of of_regulator_match()", " - OPP: OF: Fix an OF node leak in _opp_add_static_v2()", " - ipmi: ssif_bmc: Fix new request loss when bmc ready for a response", " - wifi: ath12k: fix tx power, max reg power update to firmware", " - clk: qcom: gcc-sdm845: Do not use shared clk_ops for QUPs", " - HID: fix generic desktop D-Pad controls", " - leds: cht-wcove: Use devm_led_classdev_register() to avoid memory leak", " - mfd: syscon: Remove extern from function prototypes", " - mfd: syscon: Add of_syscon_register_regmap() API", " - mfd: syscon: Use scoped variables with memory allocators to simplify", " error paths", " - mfd: syscon: Fix race in device_node_get_regmap()", " - samples/landlock: Fix possible NULL dereference in parse_path()", " - wifi: wlcore: fix unbalanced pm_runtime calls", " - wifi: mt76: mt7915: Fix mesh scan on MT7916 DBDC", " - wifi: mac80211: fix tid removal during mesh forwarding", " - wifi: mac80211: Fix common size calculation for ML element", " - net/smc: fix data error when recvmsg with MSG_PEEK flag", " - wifi: mt76: mt76u_vendor_request: Do not print error messages when", " -EPROTO", " - wifi: mt76: mt7921: fix using incorrect group cipher after", " disconnection.", " - wifi: mt76: mt7915: fix overflows seen when writing limit attributes", " - wifi: mt76: mt7996: fix rx filter setting for bfee functionality", " - wifi: mt76: mt7915: firmware restart on devices with a second pcie link", " - wifi: mt76: connac: move mt7615_mcu_del_wtbl_all to connac", " - wifi: mt76: mt7915: improve hardware restart reliability", " - wifi: mt76: mt7915: fix omac index assignment after hardware reset", " - wifi: mt76: mt7915: fix register mapping", " - wifi: mt76: mt7996: fix register mapping", " - wifi: mt76: mt7996: add max mpdu len capability", " - wifi: mt76: mt7996: fix the capability of reception of EHT MU PPDU", " - wifi: mt76: mt7996: fix HE Phy capability", " - wifi: mt76: mt7996: fix incorrect indexing of MIB FW event", " - wifi: mt76: mt7996: fix ldpc setting", " - cpufreq: ACPI: Fix max-frequency computation", " - selftests: timers: clocksource-switch: Adapt progress to kselftest", " framework", " - selftests: harness: fix printing of mismatch values in __EXPECT()", " - wifi: cfg80211: adjust allocation of colocated AP data", " - inet: ipmr: fix data-races", " - clk: analogbits: Fix incorrect calculation of vco rate delta", " - pwm: stm32: Add check for clk_enable()", " - selftests/landlock: Fix error message", " - net/mlxfw: Drop hard coded max FW flash image size", " - octeon_ep: remove firmware stats fetch in ndo_get_stats64", " - netfilter: nf_tables: fix set size with rbtree backend", " - netfilter: nft_flow_offload: update tcp state flags under lock", " - tcp_cubic: fix incorrect HyStart round start detection", " - libbpf: don't adjust USDT semaphore address if .stapsdt.base addr is", " missing", " - tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind", " - libbpf: Fix segfault due to libelf functions not setting errno", " - ASoC: sun4i-spdif: Add clock multiplier settings", " - selftests/bpf: Fix fill_link_info selftest on powerpc", " - crypto: caam - use JobR's space to access page 0 regs", " - perf header: Fix one memory leakage in process_bpf_btf()", " - perf header: Fix one memory leakage in process_bpf_prog_info()", " - perf bpf: Fix two memory leakages when calling", " perf_env__insert_bpf_prog_info()", " - ASoC: renesas: rz-ssi: Use only the proper amount of dividers", " - perf expr: Initialize is_test value in expr__ctx_new()", " - ktest.pl: Remove unused declarations in run_bisect_test function", " - crypto: hisilicon/sec2 - fix for aead icv error", " - crypto: hisilicon/sec2 - fix for aead invalid authsize", " - crypto: ixp4xx - fix OF node reference leaks in init_ixp_crypto()", " - ALSA: seq: remove redundant 'tristate' for SND_SEQ_UMP_CLIENT", " - ALSA: seq: Make dependency on UMP clearer", " - padata: fix sysfs store callback check", " - perf top: Don't complain about lack of vmlinux when not resolving some", " kernel samples", " - perf machine: Don't ignore _etext when not a text symbol", " - perf namespaces: Introduce nsinfo__set_in_pidns()", " - perf namespaces: Fixup the nsinfo__in_pidns() return type, its bool", " - ASoC: Intel: avs: Prefix SKL/APL-specific members", " - ASoC: Intel: avs: Abstract IPC handling", " - ASoC: Intel: avs: Do not readq() u32 registers", " - ASoC: Intel: avs: Fix theoretical infinite loop", " - perf report: Fix misleading help message about --demangle", " - pinctrl: stm32: Add check for clk_enable()", " - pinctrl: amd: Take suspend type into consideration which pins are non-", " wake", " - bpf: tcp: Mark bpf_load_hdr_opt() arg2 as read-write", " - ALSA: hda/realtek - Fixed headphone distorted sound on Acer Aspire", " A115-31 laptop", " - perf lock: Fix parse_lock_type which only retrieve one lock flag", " - padata: add pd get/put refcnt helper", " - cifs: Use cifs_autodisable_serverino() for disabling", " CIFS_MOUNT_SERVER_INUM in readdir.c", " - soc: atmel: fix device_node release in atmel_soc_device_init()", " - ARM: at91: pm: change BU Power Switch to automatic mode", " - arm64: dts: mediatek: mt8186: Move wakeup to MTU3 to get working suspend", " - arm64: dts: mt8183: set DMIC one-wire mode on Damu", " - arm64: dts: mediatek: mt8516: fix GICv2 range", " - arm64: dts: mediatek: mt8516: fix wdt irq type", " - arm64: dts: mediatek: mt8516: add i2c clock-div property", " - arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A", " - ARM: dts: stm32: Fix IPCC EXTI declaration on stm32mp151", " - RDMA/mlx4: Avoid false error about access to uninitialized gids array", " - arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property", " - arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property", " - arm64: dts: mediatek: mt8192-asurada: Drop regulator-compatible property", " - arm64: dts: mediatek: mt8195-cherry: Drop regulator-compatible property", " - arm64: dts: mediatek: mt8195-demo: Drop regulator-compatible property", " - arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names", " - arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names", " - ARM: dts: aspeed: yosemite4: correct the compatible string of adm1272", " - ARM: dts: aspeed: yosemite4: Add required properties for IOE on fan", " boards", " - ARM: dts: aspeed: yosemite4: correct the compatible string for max31790", " - arm: dts: socfpga: use reset-name \"stmmaceth-ocp\" instead of \"ahb\"", " - RDMA/rxe: Improve newline in printing messages", " - RDMA/rxe: Fix mismatched max_msg_sz", " - arm64: dts: mediatek: mt8183: kenzo: Support second source touchscreen", " - arm64: dts: mediatek: mt8183: willow: Support second source touchscreen", " - RDMA/srp: Fix error handling in srp_add_port", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie1", " - ARM: dts: stm32: Deduplicate serial aliases and chosen node for", " STM32MP15xx DHCOM SoM", " - ARM: dts: stm32: Swap USART3 and UART8 alias on STM32MP15xx DHCOM SoM", " - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Drop pp3300_panel voltage", " settings", " - arm64: dts: qcom: msm8996-xiaomi-gemini: Fix LP5562 LED1 reg property", " - arm64: dts: qcom: move common parts for sa8775p-ride variants into a", " .dtsi", " - arm64: dts: qcom: sa8775p: Update sleep_clk frequency", " - arm64: dts: qcom: msm8996: Fix up USB3 interrupts", " - arm64: dts: qcom: msm8994: Describe USB interrupts", " - arm64: dts: qcom: sm7225-fairphone-fp4: Drop extra qcom,msm-id value", " - arm64: dts: qcom: msm8916: correct sleep clock frequency", " - arm64: dts: qcom: msm8939: correct sleep clock frequency", " - arm64: dts: qcom: msm8994: correct sleep clock frequency", " - arm64: dts: qcom: qcs404: correct sleep clock frequency", " - arm64: dts: qcom: q[dr]u1000: correct sleep clock frequency", " - arm64: dts: qcom: qrb4210-rb2: correct sleep clock frequency", " - arm64: dts: qcom: sc7280: correct sleep clock frequency", " - arm64: dts: qcom: sdx75: correct sleep clock frequency", " - arm64: dts: qcom: sm4450: correct sleep clock frequency", " - arm64: dts: qcom: sm6125: correct sleep clock frequency", " - arm64: dts: qcom: sm6375: correct sleep clock frequency", " - arm64: dts: qcom: sm8250: correct sleep clock frequency", " - arm64: dts: qcom: sm8350: correct sleep clock frequency", " - arm64: dts: qcom: sm8450: correct sleep clock frequency", " - ARM: dts: microchip: sama5d27_wlsom1_ek: Add no-1-8-v property to sdmmc0", " node", " - arm64: dts: ti: k3-am62: Remove duplicate GICR reg", " - arm64: dts: ti: k3-am62a: Remove duplicate GICR reg", " - arm64: dts: allwinner: a64: explicitly assign clock parent for TCON0", " - RDMA/bnxt_re: Fix to drop reference to the mmap entry in case of error", " - ARM: omap1: Fix up the Retu IRQ on Nokia 770", " - arm64: dts: qcom: sdm845-db845c-navigation-mezzanine: Convert mezzanine", " riser to dtso", " - arm64: dts: qcom: sdm845-db845c-navigation-mezzanine: remove disabled", " ov7251 camera", " - arm64: dts: qcom: sc7180-trogdor-quackingstick: add missing avee-supply", " - arm64: dts: qcom: sc7180-*: Remove thermal zone polling delays", " - arm64: dts: qcom: sc7180-trogdor-pompom: rename 5v-choke thermal zone", " - arm64: dts: qcom: sc7180: change labels to lower-case", " - arm64: dts: qcom: sc7180: fix psci power domain node names", " - arm64: dts: qcom: sm8150-microsoft-surface-duo: fix typos in da7280", " properties", " - arm64: dts: qcom: sc8280xp: Fix up remoteproc register space sizes", " - dts: arm64: mediatek: mt8195: Remove MT8183 compatible for OVL", " - arm64: dts: mediatek: add per-SoC compatibles for keypad nodes", " - arm64: dts: qcom: sdm845: Fix interrupt types of camss interrupts", " - arm64: dts: qcom: sm8250: Fix interrupt types of camss interrupts", " - ARM: dts: mediatek: mt7623: fix IR nodename", " - fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device()", " - arm64: tegra: Fix DMA ID for SPI2", " - i3c: dw: Add hot-join support.", " - RDMA/mlx5: Fix indirect mkey ODP page count", " - of: reserved-memory: Do not make kmemleak ignore freed address", " - efi: sysfb_efi: fix W=1 warnings when EFI is not set", " - spi: omap2-mcspi: Correctly handle devm_clk_get_optional() errors", " - media: rc: iguanair: handle timeouts", " - media: lmedm04: Handle errors for lme2510_int_read", " - PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()", " - media: marvell: Add check for clk_enable()", " - media: i2c: imx290: Register 0x3011 varies between imx327 and imx290", " - media: i2c: imx412: Add missing newline to prints", " - media: i2c: ov9282: Correct the exposure offset", " - media: mipi-csis: Add check for clk_enable()", " - media: camif-core: Add check for clk_enable()", " - media: uvcvideo: Propagate buf->error to userspace", " - mtd: rawnand: brcmnand: fix status read of brcmnand_waitfunc", " - mtd: hyperbus: hbmc-am654: fix an OF node reference leak", " - media: nxp: imx8-isi: fix v4l2-compliance test errors", " - watchdog: rti_wdt: Fix an OF node leak in rti_wdt_probe()", " - staging: media: imx: fix OF node leak in imx_media_add_of_subdevs()", " - media: dvb-usb-v2: af9035: fix ISO C90 compilation error on", " af9035_i2c_master_xfer", " - PCI: endpoint: pci-epf-test: Set dma_chan_rx pointer to NULL on error", " - PCI: endpoint: pci-epf-test: Fix check for DMA MEMCPY test", " - scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1", " - scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails", " - ocfs2: mark dquot as inactive if failed to start trans while releasing", " dquot", " - module: Extend the preempt disabled section in", " dereference_symbol_descriptor().", " - serial: 8250: Adjust the timeout for FIFO mode", " - NFSv4.2: fix COPY_NOTIFY xdr buf size calculation", " - NFSv4.2: mark OFFLOAD_CANCEL MOVEABLE", " - tools/bootconfig: Fix the wrong format specifier", " - xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO", " - dmaengine: ti: edma: fix OF node reference leaks in edma_driver", " - rtc: loongson: clear TOY_MATCH0_REG in loongson_rtc_isr()", " - regulator: core: Add missing newline character", " - gpio: mxc: remove dead code after switch to DT-only", " - net: fec: implement TSO descriptor cleanup", " - PM: hibernate: Add error handling for syscore_suspend()", " - iavf: allow changing VLAN state without calling PF", " - net: netdevsim: try to close UDP port harness races", " - ptp: Properly handle compat ioctls", " - net: stmmac: Limit the number of MTL queues to hardware capability", " - net: stmmac: Limit FIFO size by hardware capability", " - perf trace: Fix runtime error of index out of bounds", " - Bluetooth: btnxpuart: Fix glitches seen in dual A2DP streaming", " - vsock: Allow retrying on connect() failure", " - bgmac: reduce max frame size to support just MTU 1500", " - net: sh_eth: Fix missing rtnl lock in suspend/resume path", " - genksyms: fix memory leak when the same symbol is added from source", " - genksyms: fix memory leak when the same symbol is read from *.symref", " file", " - RISC-V: Mark riscv_v_init() as __init", " - ASoC: rockchip: i2s_tdm: Re-add the set_sysclk callback", " - io_uring/uring_cmd: use cached cmd_op in io_uring_cmd_sock()", " - cifs: Fix getting and setting SACLs over SMB1", " - kconfig: fix file name in warnings when loading KCONFIG_DEFCONFIG_LIST", " - kconfig: fix memory leak in sym_warn_unmet_dep()", " - hexagon: fix using plain integer as NULL pointer warning in cmpxchg", " - hexagon: Fix unbalanced spinlock in die()", " - f2fs: Introduce linear search for dentries", " - Revert \"SUNRPC: Reduce thread wake-up rate when receiving large RPC", " messages\"", " - kbuild: switch from lz4c to lz4 for compression", " - selftests/rseq: Fix handling of glibc without rseq support", " - ktest.pl: Check kernelrelease return in get_version", " - ALSA: usb-audio: Add delay quirk for iBasso DC07 Pro", " - usb: gadget: f_tcm: Fix Get/SetInterface return value", " - usb: dwc3-am62: Fix an OF node leak in phy_syscon_pll_refclk()", " - usb: dwc3: core: Defer the probe until USB power supply ready", " - usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to", " PD_T_SENDER_RESPONSE", " - usb: typec: tcpci: Prevent Sink disconnection before vPpsShutdown in SPR", " PPS", " - btrfs: output the reason for open_ctree() failure", " - s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS", " - LoongArch: Change 8 to 14 for LOONGARCH_MAX_{BRP,WRP}", " - block: copy back bounce buffer to user-space correctly in case of split", " - nvme-tcp: Fix I/O queue cpu spreading for multiple controllers", " - sched/fair: Untangle NEXT_BUDDY and pick_next_task()", " - sched: Fix race between yield_to() and try_to_wake_up()", " - drm/v3d: Fix performance counter source settings on V3D 7.x", " - drm/rockchip: vop2: fix rk3588 dp+dsi maxclk verification", " - drm/rockchip: vop2: Set AXI id for rk3588", " - drm/rockchip: vop2: Setup delay cycle for Esmart2/3", " - drm/rockchip: vop2: Add check for 32 bpp format for rk3588", " - drm/msm/dpu: provide DSPP and correct LM config for SDM670", " - drm/msm/dpu: link DSPP_2/_3 blocks on SM8650", " - drm/msm: don't clean up priv->kms prematurely", " - drm/msm/mdp4: correct LCDC regulator name", " - wifi: rtlwifi: rtl8821ae: phy: restore removed code to fix infinite loop", " - selftests/bpf: Actuate tx_metadata_len in xdp_hw_metadata", " - selftests: ktap_helpers: Fix uninitialized variable", " - inet: constify inet_sk_bound_dev_eq() net parameter", " - inet: constify 'struct net' parameter of various lookup helpers", " - udp: constify 'struct net' parameter of socket lookups", " - inet6: constify 'struct net' parameter of various lookup helpers", " - ipv6: udp: constify 'struct net' parameter of socket lookups", " - dt-bindings: clock: imx93: Drop IMX93_CLK_END macro definition", " - dt-bindings: clock: Add i.MX91 clock support", " - dt-bindings: clock: imx93: Add SPDIF IPG clk", " - clk: imx93: Move IMX93_CLK_END macro to clk driver", " - clk: imx: add i.MX91 clk", " - clk: imx93: Add IMX93_CLK_SPDIF_IPG clock", " - arm64: dts: imx93: Use IMX93_CLK_SPDIF_IPG as SPDIF IPG clock", " - clk: imx: Apply some clks only for i.MX93", " - wifi: rtw89: mcc: consider time limits not divisible by 1024", " - wifi: iwlwifi: cleanup uefi variables loading", " - wifi: iwlwifi: fw: read STEP table from correct UEFI var", " - wifi: mt76: mt7996: fix overflows seen when writing limit attributes", " - wifi: mt76: mt7996: fix definition of tx descriptor", " - Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name()", " - platform/mellanox: mlxbf-pmc: incorrect type in assignment", " - platform/x86: x86-android-tablets: make platform data be static", " - crypto: api - Fix boot-up self-test race", " - pinctrl: nomadik: Add check for clk_enable()", " - rhashtable: Fix potential deadlock by moving schedule_work outside lock", " - crypto: iaa - Fix IAA disabling that occurs when sync_mode is set to", " 'async'", " - perf maps: Fix display of kernel symbols", " - perf MANIFEST: Add arch/*/include/uapi/asm/bpf_perf_event.h to the perf", " tarball", " - ALSA: hda: Fix compilation of snd_hdac_adsp_xxx() helpers", " - tools: Sync if_xdp.h uapi tooling header", " - rhashtable: Fix rhashtable_try_insert test", " - ARM: dts: imx7-tqma7: add missing vs-supply for LM75A (rev. 01xxx)", " - arm64: dts: renesas: rzg3s-smarc: Fix the debug serial alias", " - arm64: dts: mediatek: mt8395-genio-1200-evk: Drop regulator-compatible", " property", " - arm64: dts: qcom: sm8550: correct sleep clock frequency", " - arm64: dts: qcom: sm8650: correct sleep clock frequency", " - arm64: dts: qcom: x1e80100: correct sleep clock frequency", " - ARM: dts: microchip: sama5d29_curiosity: Add no-1-8-v property to sdmmc0", " node", " - RDMA/hns: Clean up the legacy CONFIG_INFINIBAND_HNS", " - [Config] updateconfigs for INFINIBAND_HNS", " - RDMA/cxgb4: Notify rdma stack for IB_EVENT_QP_LAST_WQE_REACHED event", " - iommu: iommufd: fix WARNING in iommufd_device_unbind", " - remoteproc: mtk_scp: Only populate devices for SCP cores", " - PCI: imx6: Deassert apps_reset in imx_pcie_deassert_core_reset()", " - PCI: dwc: Always stop link in the dw_pcie_suspend_noirq", " - PCI: microchip: Add support for using either Root Port 1 or 2", " - PCI: microchip: Set inbound address translation for coherent or non-", " coherent mode", " - erofs: get rid of erofs_{find,insert}_workgroup", " - erofs: move erofs_workgroup operations into zdata.c", " - erofs: sunset `struct erofs_workgroup`", " - erofs: fix potential return value overflow of z_erofs_shrink_scan()", " - tty: mips_ejtag_fdc: fix one more u8 warning", " - xfrm: Add support for per cpu xfrm state handling.", " - xfrm: Cache used outbound xfrm states at the policy.", " - xfrm: Add an inbound percpu state cache.", " - xfrm: Don't disable preemption while looking up cache state.", " - idpf: add read memory barrier when checking descriptor done bit", " - net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling", " - tools: ynl: c: correct reverse decode of empty attrs", " - selftests: mptcp: extend CFLAGS to keep options from environment", " - selftests: net/{lib,openvswitch}: extend CFLAGS to keep options from", " environment", " - net: ethtool: only allow set_rxnfc with rss + ring_cookie if driver opts", " in", " - ethtool: Fix set RXNFC command with symmetric RSS hash", " - tools/power turbostat: Fix forked child affinity regression", " - md: add a new callback pers->bitmap_sector()", " - md/raid5: implement pers->bitmap_sector()", " - xfs: check for dead buffers in xfs_buf_find_insert", " - xfs: don't shut down the filesystem for media failures beyond end of log", " - usb: dwc3: Skip resume if pm_runtime_set_active() fails", " - clk: qcom: gcc-x1e80100: Do not turn off usb_2 controller GDSC", " - xfrm: Add error handling when nla_put_u32() returns an error", " - xfrm: Fix acquire state insertion.", " - ethtool: Fix access to uninitialized fields in set RXNFC command", " - ASoC: da7213: Initialize the mutex", " - drm/amd/display: Add hubp cache reset when powergating", " - KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update()", " - ethtool: ntuple: fix rss + ring_cookie check", " - Upstream stable to v6.6.76, v6.12.13", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57975", " - btrfs: do proper folio cleanup when run_delalloc_nocow() failed", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21714", " - RDMA/mlx5: Fix implicit ODP use after free", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21801", " - net: ravb: Fix missing rtnl lock in suspend/resume path", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21809", " - rxrpc, afs: Fix peer hash locking vs RCU callback", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58057", " - idpf: convert workqueues to unbound", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57953", " - rtc: tps6594: Fix integer overflow on 32bit systems", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57982", " - xfrm: state: fix out-of-bounds read during lookup", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21721", " - nilfs2: handle errors that nilfs_prepare_chunk() may return", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21722", " - nilfs2: do not force clear folio if buffer is referenced", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21798", " - firewire: test: Fix potential null dereference in firewire kunit test", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21723", " - scsi: mpi3mr: Fix possible crash when setting up bsg fails", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21724", " - iommufd/iova_bitmap: Fix shift-out-of-bounds in", " iova_bitmap_offset_to_index()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21825", " - bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57990", " - wifi: mt76: mt7925: fix off by one in mt7925_load_clc()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57974", " - udp: Deal with race between UDP socket address change and rehash", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57994", " - ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57999", " - powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58054", " - staging: media: max96712: fix kernel oops when removing module", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58055", " - usb: gadget: f_tcm: Don't free command immediately", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57979", " - pps: Fix a use-after-free", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57980", " - media: uvcvideo: Fix double free in error path", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58056", " - remoteproc: core: Fix ida_free call while not allocated", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21705", " - mptcp: handle fastopen disconnect correctly", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21707", " - mptcp: consolidate suboption status", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57981", " - usb: xhci: Fix NULL pointer dereference on certain command aborts", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21708", " - net: usb: rtl8150: enable basic endpoint checking", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21826", " - netfilter: nf_tables: reject mismatching sum of field_len with set key", " length", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21808", " - net: xdp: Disallow attaching device-bound programs in generic mode", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21710", " - tcp: correct handling of extreme memory squeeze", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21715", " - net: davicom: fix UAF in dm9000_drv_remove", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21716", " - vxlan: Fix uninit-value in vxlan_vnifilter_dump()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21718", " - net: rose: fix timer races against user threads", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21719", " - ipmr: do not call mr_mfc_uses_dev() for unres entries", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21802", " - net: hns3: fix oops when unload drivers paralleling", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58058", " - ubifs: skip dumping tnc tree when zroot is null", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58069", " - rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21720", " - xfrm: delete intermediate secpath entry in packet offload mode", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21803", " - LoongArch: Fix warnings during S3 suspend", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21810", " - driver core: class: Fix wild pointer dereferences in API", " class_dev_iter_next()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21811", " - nilfs2: protect access to buffers with no active references", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21804", " - PCI: rcar-ep: Fix incorrect variable used when calling", " devm_request_mem_region()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21829", " - RDMA/rxe: Fix the warning \"__rxe_cleanup+0x12c/0x170 [rdma_rxe]\"", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57984", " - i3c: dw: Fix use-after-free in dw_i3c_master driver due to race", " condition", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58034", " - memory: tegra20-emc: fix an OF node reference bug in", " tegra_emc_find_node_by_ram_code()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57973", " - rdma/cxgb4: Prevent potential integer overflow on 32bit", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21725", " - smb: client: fix oops due to unset link speed", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21726", " - padata: avoid UAF for reorder_work", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21727", " - padata: fix UAF in padata_reorder", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21728", " - bpf: Send signals asynchronously if !preemptible", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58070", " - bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21711", " - net/rose: prevent integer overflows in rose_setsockopt()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21799", " - net: ethernet: ti: am65-cpsw: fix freeing IRQ in", " am65_cpsw_nuss_remove_tx_chns()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21806", " - net: let net.core.dev_weight always be non-zero", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21830", " - landlock: Handle weird files", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21828", " - wifi: mac80211: don't flush non-uploaded STAs", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58061", " - wifi: mac80211: prohibit deactivating all links", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57993", " - HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding", " endpoint check", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21812", " - ax25: rcu protect dev->ax25_ptr", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58071", " - team: prevent adding a device which is already a team device lower", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58063", " - wifi: rtlwifi: fix memory leaks and invalid access at probe error path", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58072", " - wifi: rtlwifi: remove unused check_buddy_priv", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58053", " - rxrpc: Fix handling of received connection abort", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57996", " - net_sched: sch_sfq: don't allow 1 packet limit", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57997", " - wifi: wcn36xx: fix channel survey memory allocation size", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58051", " - ipmi: ipmb: Add check devm_kasprintf() returned value", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58068", " - OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57998", " - OPP: add index check to assert to avoid buffer overflow in _read_freq()", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-58052", " - drm/amdgpu: Fix potential NULL pointer dereference in", " atomctrl_get_smc_sclk_range_table", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2024-57986", " - HID: core: Fix assumption that Resolution Multipliers must be in Logical", " Collections", "", " * Noble update: upstream stable patchset 2025-05-29 (LP: #2111953) //", " CVE-2025-21731", " - nbd: don't allow reconnect after disconnect", "", " * CVE-2025-37798", " - sch_htb: make htb_qlen_notify() idempotent", " - sch_htb: make htb_deactivate() idempotent", " - sch_drr: make drr_qlen_notify() idempotent", " - sch_hfsc: make hfsc_qlen_notify() idempotent", " - sch_qfq: make qfq_qlen_notify() idempotent", " - sch_ets: make est_qlen_notify() idempotent", " - codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()", "", " * CVE-2025-37997", " - netfilter: ipset: fix region locking in hash types", "", " * CVE-2025-22088", " - RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()", "", " * CVE-2025-37890", " - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child", " qdisc", " - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()", " - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice", "", " * raid1: Fix NULL pointer dereference in process_checks() (LP: #2112519)", " - md/raid1: Add check for missing source disk in process_checks()", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] update annotations scripts", "" ], "package": "linux", "version": "6.8.0-64.67", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2114668, 2112462, 2114174, 2114174, 2114174, 2114174, 2110090, 2114239, 2109951, 2106558, 2109609, 2100340, 2111599, 2106381, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2111953, 2112519, 1786013 ], "author": "Mehmet Basaran ", "date": "Sun, 15 Jun 2025 10:53:51 +0300" }, { "cves": [ { "cve": "CVE-2025-2312", "url": "https://ubuntu.com/security/CVE-2025-2312", "cve_description": "A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache.", "cve_priority": "medium", "cve_public_date": "2025-03-25 18:15:00 UTC" }, { "cve": "CVE-2025-21689", "url": "https://ubuntu.com/security/CVE-2025-21689", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() This patch addresses a null-ptr-deref in qt2_process_read_urb() due to an incorrect bounds check in the following: if (newport > serial->num_ports) { dev_err(&port->dev, \"%s - port change to invalid port: %i\\n\", __func__, newport); break; } The condition doesn't account for the valid range of the serial->port buffer, which is from 0 to serial->num_ports - 1. When newport is equal to serial->num_ports, the assignment of \"port\" in the following code is out-of-bounds and NULL: serial_priv->current_port = newport; port = serial->port[serial_priv->current_port]; The fix checks if newport is greater than or equal to serial->num_ports indicating it is out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2025-02-10 16:15:00 UTC" }, { "cve": "CVE-2025-21690", "url": "https://ubuntu.com/security/CVE-2025-21690", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM.", "cve_priority": "medium", "cve_public_date": "2025-02-10 16:15:00 UTC" }, { "cve": "CVE-2025-21691", "url": "https://ubuntu.com/security/CVE-2025-21691", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb (\"cachestat: implement cachestat syscall\"), it was meant to be a much more convenient (and performant) version of mincore() that didn't need mapping things into the user virtual address space in order to work. But it ended up missing the \"check for writability or ownership\" fix for mincore(), done in commit 134fca9063ad (\"mm/mincore.c: make mincore() more conservative\"). This just adds equivalent logic to 'cachestat()', modified for the file context (rather than vma).", "cve_priority": "medium", "cve_public_date": "2025-02-10 16:15:00 UTC" }, { "cve": "CVE-2025-21692", "url": "https://ubuntu.com/security/CVE-2025-21692", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] [ 18.888610] ---[ end trace ]---", "cve_priority": "medium", "cve_public_date": "2025-02-10 16:15:00 UTC" }, { "cve": "CVE-2025-21699", "url": "https://ubuntu.com/security/CVE-2025-21699", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two.", "cve_priority": "medium", "cve_public_date": "2025-02-12 14:15:00 UTC" }, { "cve": "CVE-2024-50157", "url": "https://ubuntu.com/security/CVE-2024-50157", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Driver waits indefinitely for the fifo occupancy to go below a threshold as soon as the pacing interrupt is received. This can cause soft lockup on one of the processors, if the rate of DB is very high. Add a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th if the loop is taking more time. Pacing will be continuing until the occupancy is below the threshold. This is ensured by the checks in bnxt_re_pacing_timer_exp and further scheduling the work for pacing based on the fifo occupancy.", "cve_priority": "medium", "cve_public_date": "2024-11-07 10:15:00 UTC" }, { "cve": "CVE-2025-21672", "url": "https://ubuntu.com/security/CVE-2025-21672", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: afs: Fix merge preference rule failure condition syzbot reported a lock held when returning to userspace[1]. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released. Fix this by store the error in ret and jump to done to clean up instead of returning directly. [dh: Modified Lizhi Xu's original patch to make it honour the error code from afs_split_string()] [1] WARNING: lock held when returning to user space! 6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted ------------------------------------------------ syz-executor133/5823 is leaving the kernel with locks still held! 1 lock held by syz-executor133/5823: #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline] #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21682", "url": "https://ubuntu.com/security/CVE-2025-21682", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: always recalculate features after XDP clearing, fix null-deref Recalculate features when XDP is detached. Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on] After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn't handle reconfiguring two things at a time very robustly. Starting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in __bnxt_reserve_rings()\") we only reconfigure the RSS hash table if the \"effective\" number of Rx rings has changed. If HW-GRO is enabled \"effective\" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement \"pending\" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the: if (old_rx_rings != bp->hw_resc.resv_rx_rings && condition in __bnxt_reserve_rings() will be false. The RSS map won't get updated, and we'll crash with: BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0 As we try to access a freed ring. The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in __bnxt_reserve_rings()\") it wasn't causing major issues.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2024-53124", "url": "https://ubuntu.com/security/CVE-2024-53124", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fix data-races around sk->sk_forward_alloc Syzkaller reported this warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __warn+0x88/0x130 ? inet_sock_destruct+0x1c5/0x1e0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x1c5/0x1e0 __sk_destruct+0x2a/0x200 rcu_do_batch+0x1aa/0x530 ? rcu_do_batch+0x13b/0x530 rcu_core+0x159/0x2f0 handle_softirqs+0xd3/0x2b0 ? __pfx_smpboot_thread_fn+0x10/0x10 run_ksoftirqd+0x25/0x30 smpboot_thread_fn+0xdd/0x1d0 kthread+0xd3/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ---[ end trace 0000000000000000 ]--- Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add() concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked, which triggers a data-race around sk->sk_forward_alloc: tcp_v6_rcv tcp_v6_do_rcv skb_clone_and_charge_r sk_rmem_schedule __sk_mem_schedule sk_forward_alloc_add() skb_set_owner_r sk_mem_charge sk_forward_alloc_add() __kfree_skb skb_release_all skb_release_head_state sock_rfree sk_mem_uncharge sk_forward_alloc_add() sk_mem_reclaim // set local var reclaimable __sk_mem_reclaim sk_forward_alloc_add() In this syzkaller testcase, two threads call tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like this: (cpu 1) | (cpu 2) | sk_forward_alloc ... | ... | 0 __sk_mem_schedule() | | +4096 = 4096 | __sk_mem_schedule() | +4096 = 8192 sk_mem_charge() | | -768 = 7424 | sk_mem_charge() | -768 = 6656 ... | ... | sk_mem_uncharge() | | +768 = 7424 reclaimable=7424 | | | sk_mem_uncharge() | +768 = 8192 | reclaimable=8192 | __sk_mem_reclaim() | | -4096 = 4096 | __sk_mem_reclaim() | -8192 = -4096 != 0 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock(). Fix the same issue in dccp_v6_do_rcv().", "cve_priority": "medium", "cve_public_date": "2024-12-02 14:15:00 UTC" }, { "cve": "CVE-2024-57924", "url": "https://ubuntu.com/security/CVE-2024-57924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 (\"ovl: support encoding non-decodable file handles\") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6.", "cve_priority": "medium", "cve_public_date": "2025-01-19 12:15:00 UTC" }, { "cve": "CVE-2024-57951", "url": "https://ubuntu.com/security/CVE-2024-57951", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to CPUHP_ONLINE: Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set to 1 throughout. However, during a CPU unplug operation, the tick and the clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online state, for instance CFS incorrectly assumes that the hrtick is already active, and the chance of the clockevent device to transition to oneshot mode is also lost forever for the CPU, unless it goes back to a lower state than CPUHP_HRTIMERS_PREPARE once. This round-trip reveals another issue; cpu_base.online is not set to 1 after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer(). Aside of that, the bulk of the per CPU state is not reset either, which means there are dangling pointers in the worst case. Address this by adding a corresponding startup() callback, which resets the stale per CPU state and sets the online flag. [ tglx: Make the new callback unconditionally available, remove the online \tmodification in the prepare() callback and clear the remaining \tstate in the starting callback instead of the prepare callback ]", "cve_priority": "medium", "cve_public_date": "2025-02-12 14:15:00 UTC" }, { "cve": "CVE-2024-57949", "url": "https://ubuntu.com/security/CVE-2024-57949", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() The following call-chain leads to enabling interrupts in a nested interrupt disabled section: irq_set_vcpu_affinity() irq_get_desc_lock() raw_spin_lock_irqsave() <--- Disable interrupts its_irq_set_vcpu_affinity() guard(raw_spinlock_irq) <--- Enables interrupts when leaving the guard() irq_put_desc_unlock() <--- Warns because interrupts are enabled This was broken in commit b97e8a2f7130, which replaced the original raw_spin_[un]lock() pair with guard(raw_spinlock_irq). Fix the issue by using guard(raw_spinlock). [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-02-09 12:15:00 UTC" }, { "cve": "CVE-2025-21668", "url": "https://ubuntu.com/security/CVE-2025-21668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: add missing loop break condition Currently imx8mp_blk_ctrl_remove() will continue the for loop until an out-of-bounds exception occurs. pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_pm_domain_detach+0x8/0x48 lr : imx8mp_blk_ctrl_shutdown+0x58/0x90 sp : ffffffc084f8bbf0 x29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000 x26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028 x23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0 x20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff x17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72 x14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000 x11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8 x8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: dev_pm_domain_detach+0x8/0x48 platform_shutdown+0x2c/0x48 device_shutdown+0x158/0x268 kernel_restart_prepare+0x40/0x58 kernel_kexec+0x58/0xe8 __do_sys_reboot+0x198/0x258 __arm64_sys_reboot+0x2c/0x40 invoke_syscall+0x5c/0x138 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 Code: 8128c2d0 ffffffc0 aa1e03e9 d503201f", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21684", "url": "https://ubuntu.com/security/CVE-2025-21684", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208)", "cve_priority": "medium", "cve_public_date": "2025-02-09 12:15:00 UTC" }, { "cve": "CVE-2025-21694", "url": "https://ubuntu.com/security/CVE-2025-21694", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix softlockup in __read_vmcore (part 2) Since commit 5cbcb62dddf5 (\"fs/proc: fix softlockup in __read_vmcore\") the number of softlockups in __read_vmcore at kdump time have gone down, but they still happen sometimes. In a memory constrained environment like the kdump image, a softlockup is not just a harmless message, but it can interfere with things like RCU freeing memory, causing the crashdump to get stuck. The second loop in __read_vmcore has a lot more opportunities for natural sleep points, like scheduling out while waiting for a data write to happen, but apparently that is not always enough. Add a cond_resched() to the second loop in __read_vmcore to (hopefully) get rid of the softlockups.", "cve_priority": "medium", "cve_public_date": "2025-02-12 14:15:00 UTC" }, { "cve": "CVE-2025-21665", "url": "https://ubuntu.com/security/CVE-2025-21665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21666", "url": "https://ubuntu.com/security/CVE-2025-21666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have more in the future, so to avoid null-ptr-deref, we can return 0 (no space, no data available) but with a warning. This way the code should continue to run in a nearly consistent state and have a warning that allows us to debug future problems.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21669", "url": "https://ubuntu.com/security/CVE-2025-21669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: discard packets if the transport changes If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport. A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21670", "url": "https://ubuntu.com/security/CVE-2025-21670", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/bpf: return early if transport is not assigned Some of the core functions can only be called if the transport has been assigned. As Michal reported, a socket might have the transport at NULL, for example after a failed connect(), causing the following trace: BUG: kernel NULL pointer dereference, address: 00000000000000a0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+ RIP: 0010:vsock_connectible_has_data+0x1f/0x40 Call Trace: vsock_bpf_recvmsg+0xca/0x5e0 sock_recvmsg+0xb9/0xc0 __sys_recvfrom+0xb3/0x130 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e So we need to check the `vsk->transport` in vsock_bpf_recvmsg(), especially for connected sockets (stream/seqpacket) as we already do in __vsock_connectible_recvmsg().", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21667", "url": "https://ubuntu.com/security/CVE-2025-21667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2024-57948", "url": "https://ubuntu.com/security/CVE-2024-57948", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0\t\t\t\t\tCPU1 ====\t\t\t\t\t==== genl_family_rcv_msg_doit\t\tieee802154_unregister_hw ieee802154_del_iface\t\t\tieee802154_remove_interfaces rdev_del_virtual_intf_deprecated\tlist_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21673", "url": "https://ubuntu.com/security/CVE-2025-21673", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 ", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21697", "url": "https://ubuntu.com/security/CVE-2025-21697", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Ensure job pointer is set to NULL after job completion After a job completes, the corresponding pointer in the device must be set to NULL. Failing to do so triggers a warning when unloading the driver, as it appears the job is still active. To prevent this, assign the job pointer to NULL after completing the job, indicating the job has finished.", "cve_priority": "medium", "cve_public_date": "2025-02-12 14:15:00 UTC" }, { "cve": "CVE-2025-21674", "url": "https://ubuntu.com/security/CVE-2025-21674", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Attempt to enable IPsec packet offload in tunnel mode in debug kernel generates the following kernel panic, which is happening due to two issues: 1. In SA add section, the should be _bh() variant when marking SA mode. 2. There is not needed flush_workqueue in SA delete routine. It is not needed as at this stage as it is removed from SADB and the running work will be canceled later in SA free. ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 6.12.0+ #4 Not tainted ----------------------------------------------------- charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire: ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] and this task is already holding: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 which would create a new lock dependency: (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (&x->lock){+.-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138 to a SOFTIRQ-irq-unsafe lock: (&xa->xa_lock#24){+.+.}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xa->xa_lock#24); local_irq_disable(); lock(&x->lock); lock(&xa->xa_lock#24); lock(&x->lock); *** DEADLOCK *** 2 locks held by charon/1337: #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90 #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&x->lock){+.-.}-{3:3} ops: 29 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 IN-SOFTIRQ-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21675", "url": "https://ubuntu.com/security/CVE-2025-21675", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clear port select structure when fail to create Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-destroyed and cause kernel crash: mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 1 mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 0 mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] process_one_work+0x170/0x3e0 worker_thread+0x2d8/0x3e0 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21676", "url": "https://ubuntu.com/security/CVE-2025-21676", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fec: handle page_pool_dev_alloc_pages error The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did not handle the case when it returned NULL. There was a WARN_ON(!new_page) but it would still proceed to use the NULL pointer and then crash. This case does seem somewhat rare but when the system is under memory pressure it can happen. One case where I can duplicate this with some frequency is when writing over a smbd share to a SATA HDD attached to an imx6q. Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve the problem for my test case. But it still seems wrong that the fec driver ignores the memory allocation error and can crash. This commit handles the allocation error by dropping the current packet.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21678", "url": "https://ubuntu.com/security/CVE-2025-21678", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21680", "url": "https://ubuntu.com/security/CVE-2025-21680", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. [ fp: allow to fill the array completely; minor changelog cleanup ]", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21681", "url": "https://ubuntu.com/security/CVE-2025-21681", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core forever. But unfortunately, checking just the carrier status is not enough to fix the issue, because some devices may still be in unregistering state while reporting carrier status OK. One example of such device is a net/dummy. It sets carrier ON on start, but it doesn't implement .ndo_stop to set the carrier off. And it makes sense, because dummy doesn't really have a carrier. Therefore, while this device is unregistering, it's still easy to hit the infinite loop in the skb_tx_hash() from the OVS datapath. There might be other drivers that do the same, but dummy by itself is important for the OVS ecosystem, because it is frequently used as a packet sink for tcpdump while debugging OVS deployments. And when the issue is hit, the only way to recover is to reboot. Fix that by also checking if the device is running. The running state is handled by the net core during unregistering, so it covers unregistering case better, and we don't really need to send packets to devices that are not running anyway. While only checking the running state might be enough, the carrier check is preserved. The running and the carrier states seem disjoined throughout the code and different drivers. And other core functions like __dev_direct_xmit() check both before attempting to transmit a packet. So, it seems safer to check both flags in OVS as well.", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" }, { "cve": "CVE-2025-21683", "url": "https://ubuntu.com/security/CVE-2025-21683", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_sk_select_reuseport() memory leak As pointed out in the original comment, lookup in sockmap can return a TCP ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb does not imply a non-refcounted socket. Drop sk's reference in both error paths. unreferenced object 0xffff888101911800 (size 2048): comm \"test_progs\", pid 44109, jiffies 4297131437 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 9336483b): __kmalloc_noprof+0x3bf/0x560 __reuseport_alloc+0x1d/0x40 reuseport_alloc+0xca/0x150 reuseport_attach_prog+0x87/0x140 sk_reuseport_attach_bpf+0xc8/0x100 sk_setsockopt+0x1181/0x1990 do_sock_setsockopt+0x12b/0x160 __sys_setsockopt+0x7b/0xc0 __x64_sys_setsockopt+0x1b/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e", "cve_priority": "medium", "cve_public_date": "2025-01-31 12:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-62.65 -proposed tracker (LP: #2110737)", "", " * Rotate the Canonical Livepatch key (LP: #2111244)", " - [Config] Prepare for Canonical Livepatch key rotation", "", " * KVM bug causes Firecracker crash when it runs the vCPU for the first time", " (LP: #2109859)", " - vhost: return task creation error instead of NULL", " - kvm: retry nx_huge_page_recovery_thread creation", "", " * CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache", " (LP: #2099914) // CVE-2025-2312", " - CIFS: New mount option for cifs.upcall namespace resolution", "", " * Noble update: upstream stable patchset 2025-04-29 (LP: #2109640)", " - ASoC: wm8994: Add depends on MFD core", " - ASoC: samsung: Add missing selects for MFD_WM8994", " - seccomp: Stub for !CONFIG_SECCOMP", " - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request", " - of/unittest: Add test that of_address_to_resource() fails on non-", " translatable address", " - irqchip/sunxi-nmi: Add missing SKIP_WAKE flag", " - hwmon: (drivetemp) Set scsi command timeout to 10s", " - ASoC: samsung: Add missing depends on I2C", " - ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf()", " - Revert \"libfs: fix infinite directory reads for offset dir\"", " - libfs: Replace simple_offset end-of-directory detection", " - Revert \"HID: multitouch: Add support for lenovo Y9000P Touchpad\"", " - ALSA: usb-audio: Add delay quirk for USB Audio Device", " - Input: xpad - add support for Nacon Pro Compact", " - Input: atkbd - map F23 key to support default copilot shortcut", " - Input: xpad - add unofficial Xbox 360 wireless receiver clone", " - Input: xpad - add QH Electronics VID/PID", " - Input: xpad - improve name of 8BitDo controller 2dc8:3106", " - Input: xpad - add support for Nacon Evol-X Xbox One Controller", " - Input: xpad - add support for wooting two he (arm)", " - ASoC: codecs: es8316: Fix HW rate calculation for 48Mhz MCLK", " - ASoC: cs42l43: Add codec force suspend/resume ops", " - ALSA: hda/realtek: Fix volume adjustment issue on Lenovo ThinkBook 16P Gen5", " - libfs: Return ENOSPC when the directory offset range is exhausted", " - Revert \"libfs: Add simple_offset_empty()\"", " - libfs: Use d_children list to iterate simple_offset directories", " - wifi: rtl8xxxu: add more missing rtl8192cu USB IDs", " - HID: wacom: Initialize brightness of LED trigger", " - Upstream stable to v6.6.75, v6.12.12", "", " * Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //", " CVE-2025-21689", " - USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()", "", " * Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //", " CVE-2025-21690", " - scsi: storvsc: Ratelimit warning logs to prevent VM denial of service", "", " * Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //", " CVE-2025-21691", " - cachestat: fix page cache statistics permission checking", "", " * Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //", " CVE-2025-21692", " - net: sched: fix ets qdisc OOB Indexing", "", " * Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //", " CVE-2025-21699", " - gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag", "", " * Noble update: upstream stable patchset 2025-04-29 (LP: #2109640) //", " CVE-2024-50157", " - RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop", "", " * rtw89: Support hardware rfkill (LP: #2077384)", " - wifi: rtw89: add support for hardware rfkill", "", " * Introduce configfs-based interface for gpio-aggregator (LP: #2103496)", " - gpio: introduce utilities for synchronous fake device creation", " - bitmap: Define a cleanup function for bitmaps", " - gpio: aggregator: simplify aggr_parse() with scoped bitmap", " - gpio: aggregator: protect driver attr handlers against module unload", " - gpio: aggregator: reorder functions to prepare for configfs introduction", " - gpio: aggregator: unify function naming", " - gpio: aggregator: add gpio_aggregator_{alloc, free}()", " - gpio: aggregator: introduce basic configfs interface", " - [Config] Enable DEV_SYNC_PROBE as module", " - SAUCE: gpio: aggregator: Fix error code in gpio_aggregator_activate()", " - gpio: aggregator: rename 'name' to 'key' in gpio_aggregator_parse()", " - gpio: aggregator: expose aggregator created via legacy sysfs to configfs", " - SAUCE: gpio: aggregator: fix \"_sysfs\" prefix check in", " gpio_aggregator_make_group()", " - SAUCE: gpio: aggregator: Fix gpio_aggregator_line_alloc() checking", " - SAUCE: gpio: aggregator: Return an error if there are no GPIOs in", " gpio_aggregator_parse()", " - SAUCE: gpio: aggregator: Fix leak in gpio_aggregator_parse()", " - gpio: aggregator: cancel deferred probe for devices created via configfs", " - Documentation: gpio: document configfs interface for gpio-aggregator", " - selftests: gpio: add test cases for gpio-aggregator", " - SAUCE: selftests: gpio: gpio-aggregator: add a test case for _sysfs prefix", " reservation", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449)", " - net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()", " - net: add exit_batch_rtnl() method", " - gtp: use exit_batch_rtnl() method", " - gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().", " - gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().", " - nfp: bpf: prevent integer overflow in nfp_bpf_event_output()", " - net: xilinx: axienet: Fix IRQ coalescing packet count overflow", " - net/mlx5: Fix RDMA TX steering prio", " - net/mlx5e: Rely on reqid in IPsec tunnel mode", " - net/mlx5e: Always start IPsec sequence number from 1", " - drm/vmwgfx: Add new keep_resv BO param", " - drm/v3d: Assign job pointer to NULL before signaling the fence", " - soc: ti: pruss: Fix pruss APIs", " - hwmon: (tmp513) Fix division of negative numbers", " - i2c: mux: demux-pinctrl: check initial mux selection, too", " - i2c: rcar: fix NACK handling when being a target", " - hfs: Sanity check the root record", " - fs: fix missing declaration of init_files", " - kheaders: Ignore silly-rename files", " - cachefiles: Parse the \"secctx\" immediately", " - scsi: ufs: core: Honor runtime/system PM levels if set by host controller", " drivers", " - selftests: tc-testing: reduce rshift value", " - ACPI: resource: acpi_dev_irq_override(): Check DMI match last", " - poll_wait: add mb() to fix theoretical race between waitqueue_active() and", " .poll()", " - RDMA/bnxt_re: Fix to export port num to ib_query_qp", " - nvmet: propagate npwg topology", " - ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA", " - i2c: atr: Fix client detach", " - mptcp: be sure to send ack when mptcp-level window re-opens", " - mptcp: fix spurious wake-up on under memory pressure", " - selftests: mptcp: avoid spurious errors on disconnect", " - net: ethernet: xgbe: re-add aneg to supported features in PHY quirks", " - vsock/virtio: cancel close work in the destructor", " - vsock: reset socket state when de-assigning the transport", " - nouveau/fence: handle cross device fences properly", " - irqchip: Plug a OF node reference leak in platform_irqchip_probe()", " - irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly", " - drm/i915/fb: Relax clear color alignment to 64 bytes", " - drm/amdgpu: always sync the GFX pipe on ctx switch", " - ocfs2: fix deadlock in ocfs2_get_system_file_inode", " - nfsd: add list_head nf_gc to struct nfsd_file", " - x86/xen: fix SLS mitigation in xen_hypercall_iret()", " - efi/zboot: Limit compression options to GZIP and ZSTD", " - [Config] updateconfigs for HAVE_KERNEL_(LZ4|LZMA|LZO|XZ)", " - net: ravb: Fix max TX frame size for RZ/V2M", " - net/mlx5: SF, Fix add port error handling", " - drm/vmwgfx: Unreserve BO on error", " - i2c: testunit: on errors, repeat NACK until STOP", " - hwmon: (ltc2991) Fix mixed signed/unsigned in DIV_ROUND_CLOSEST", " - fs/qnx6: Fix building with GCC 15", " - gpio: sim: lock up configfs that an instantiated device depends on", " - gpio: sim: lock hog configfs items if present", " - platform/x86: ISST: Add Clearwater Forest to support list", " - drm/nouveau/disp: Fix missing backlight control on Macbook 5,1", " - net/ncsi: fix locking in Get MAC Address handling", " - drm/amd/display: Do not elevate mem_type change to full update", " - drm/xe: Mark ComputeCS read mode as UC on iGPU", " - drm/amdgpu/smu13: update powersave optimizations", " - drm/amdgpu: fix fw attestation for MP0_14_0_{2/3}", " - drm/amdgpu: disable gfxoff with the compute workload on gfx12", " - drm/amd/display: Fix PSR-SU not support but still call the", " amdgpu_dm_psr_enable", " - Upstream stable to v6.6.73, v6.6.74, v6.12.11", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21672", " - afs: Fix merge preference rule failure condition", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21682", " - eth: bnxt: always recalculate features after XDP clearing, fix null-deref", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2024-53124", " - net: fix data-races around sk->sk_forward_alloc", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2024-57924", " - fs: relax assertions on failure to encode file handles", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2024-57951", " - hrtimers: Handle CPU state correctly on hotplug", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2024-57949", " - irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity()", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21668", " - pmdomain: imx8mp-blk-ctrl: add missing loop break condition", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21684", " - gpio: xilinx: Convert gpio_lock to raw spinlock", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21694", " - fs/proc: fix softlockup in __read_vmcore (part 2)", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21665", " - filemap: avoid truncating 64-bit offset to 32 bits", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21666", " - vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21669", " - vsock/virtio: discard packets if the transport changes", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21670", " - vsock/bpf: return early if transport is not assigned", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21667", " - iomap: avoid avoid truncating 64-bit offset to 32 bits", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2024-57948", " - mac802154: check local interfaces before deleting sdata list", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21673", " - smb: client: fix double free of TCP_Server_Info::hostname", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21697", " - drm/v3d: Ensure job pointer is set to NULL after job completion", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21674", " - net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21675", " - net/mlx5: Clear port select structure when fail to create", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21676", " - net: fec: handle page_pool_dev_alloc_pages error", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21678", " - gtp: Destroy device along with udp socket's netns dismantle.", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21680", " - pktgen: Avoid out-of-bounds access in get_imix_entries", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21681", " - openvswitch: fix lockup on tx to unregistering netdev with carrier", "", " * Noble update: upstream stable patchset 2025-04-16 (LP: #2107449) //", " CVE-2025-21683", " - bpf: Fix bpf_sk_select_reuseport() memory leak", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update annotations scripts", "" ], "package": "linux", "version": "6.8.0-62.65", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2110737, 2111244, 2109859, 2099914, 2109640, 2109640, 2109640, 2109640, 2109640, 2109640, 2109640, 2077384, 2103496, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 2107449, 1786013 ], "author": "Stefan Bader ", "date": "Mon, 19 May 2025 12:55:33 +0200" } ], "notes": "linux-modules-6.8.0-64-generic version '6.8.0-64.67' (source package linux version '6.8.0-64.67') was added. linux-modules-6.8.0-64-generic version '6.8.0-64.67' has the same source package name, linux, as removed package linux-modules-6.8.0-60-generic. As such we can use the source package version of the removed package, '6.8.0-60.63', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.8.0-60-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-60.63", "version": "6.8.0-60.63" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-60-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-60.63", "version": "6.8.0-60.63" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20250619 to 20250727", "from_series": "noble", "to_series": "noble", "from_serial": "20250619", "to_serial": "20250727", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }