CVE-2025-39783

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: endpoint: Fix configfs group list head handling<br /> <br /> Doing a list_del() on the epf_group field of struct pci_epf_driver in<br /> pci_epf_remove_cfs() is not correct as this field is a list head, not<br /> a list entry. This list_del() call triggers a KASAN warning when an<br /> endpoint function driver which has a configfs attribute group is torn<br /> down:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198<br /> Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319<br /> <br /> CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE<br /> Hardware name: Radxa ROCK 5B (DT)<br /> Call trace:<br /> show_stack+0x2c/0x84 (C)<br /> dump_stack_lvl+0x70/0x98<br /> print_report+0x17c/0x538<br /> kasan_report+0xb8/0x190<br /> __asan_report_store8_noabort+0x20/0x2c<br /> pci_epf_remove_cfs+0x17c/0x198<br /> pci_epf_unregister_driver+0x18/0x30<br /> nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]<br /> __arm64_sys_delete_module+0x264/0x424<br /> invoke_syscall+0x70/0x260<br /> el0_svc_common.constprop.0+0xac/0x230<br /> do_el0_svc+0x40/0x58<br /> el0_svc+0x48/0xdc<br /> el0t_64_sync_handler+0x10c/0x138<br /> el0t_64_sync+0x198/0x19c<br /> ...<br /> <br /> Remove this incorrect list_del() call from pci_epf_remove_cfs().