Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-pci: ensure we&amp;#39;re polling a polled queue<br /> <br /> A user can change the polled queue count at run time. There&amp;#39;s a brief<br /> window during a reset where a hipri task may try to poll that queue<br /> before the block layer has updated the queue maps, which would race with<br /> the now interrupt driven queue and may cause double completions.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: magicmouse: avoid memory leak in magicmouse_report_fixup()<br /> <br /> The magicmouse_report_fixup() function was returning a<br /> newly kmemdup()-allocated buffer, but never freeing it.<br /> <br /> The caller of report_fixup() does not take ownership of the returned<br /> pointer, but it *is* permitted to return a sub-portion of the input<br /> rdesc, whose lifetime is managed by the caller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: prevent policy_hthresh.work from racing with netns teardown<br /> <br /> A XFRM_MSG_NEWSPDINFO request can queue the per-net work item<br /> policy_hthresh.work onto the system workqueue.<br /> <br /> The queued callback, xfrm_hash_rebuild(), retrieves the enclosing<br /> struct net via container_of(). If the net namespace is torn down<br /> before that work runs, the associated struct net may already have<br /> been freed, and xfrm_hash_rebuild() may then dereference stale memory.<br /> <br /> xfrm_policy_fini() already flushes policy_hash_work during teardown,<br /> but it does not synchronize policy_hthresh.work.<br /> <br /> Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the<br /> queued work cannot outlive the net namespace teardown and access a<br /> freed struct net.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly<br /> <br /> In iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner<br /> packet &amp;#39;newskb&amp;#39; that is being reassembled. First a zero-copy approach is<br /> tried if it succeeds then newskb becomes non-linear.<br /> <br /> When a subsequent fragment in the same datagram does not meet the<br /> fast-path conditions, a memory copy is performed. It calls skb_put() to<br /> append the data and as newskb is non-linear it triggers<br /> SKB_LINEAR_ASSERT check.<br /> <br /> Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [...]<br /> RIP: 0010:skb_put+0x3c/0x40<br /> [...]<br /> Call Trace:<br /> <br /> iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]<br /> iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]<br /> iptfs_input+0x122/0x3e0 [xfrm_iptfs]<br /> xfrm_input+0x91e/0x1a50<br /> xfrm4_esp_rcv+0x3a/0x110<br /> ip_protocol_deliver_rcu+0x1d7/0x1f0<br /> ip_local_deliver_finish+0xbe/0x1e0<br /> __netif_receive_skb_core.constprop.0+0xb56/0x1120<br /> __netif_receive_skb_list_core+0x133/0x2b0<br /> netif_receive_skb_list_internal+0x1ff/0x3f0<br /> napi_complete_done+0x81/0x220<br /> virtnet_poll+0x9d6/0x116e [virtio_net]<br /> __napi_poll.constprop.0+0x2b/0x270<br /> net_rx_action+0x162/0x360<br /> handle_softirqs+0xdc/0x510<br /> __irq_exit_rcu+0xe7/0x110<br /> irq_exit_rcu+0xe/0x20<br /> common_interrupt+0x85/0xa0<br /> <br /> <br /> <br /> Fix this by checking if the skb is non-linear. If it is, linearize it by<br /> calling skb_linearize(). As the initial allocation of newskb originally<br /> reserved enough tailroom for the entire reassembled packet we do not<br /> need to check if we have enough tailroom or extend it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> esp: fix skb leak with espintcp and async crypto<br /> <br /> When the TX queue for espintcp is full, esp_output_tail_tcp will<br /> return an error and not free the skb, because with synchronous crypto,<br /> the common xfrm output code will drop the packet for us.<br /> <br /> With async crypto (esp_output_done), we need to drop the skb when<br /> esp_output_tail_tcp returns an error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> module: Fix kernel panic when a symbol st_shndx is out of bounds<br /> <br /> The module loader doesn&amp;#39;t check for bounds of the ELF section index in<br /> simplify_symbols():<br /> <br /> for (i = 1; i sh_size / sizeof(Elf_Sym); i++) {<br /> const char *name = info-&gt;strtab + sym[i].st_name;<br /> <br /> switch (sym[i].st_shndx) {<br /> case SHN_COMMON:<br /> <br /> [...]<br /> <br /> default:<br /> /* Divert to percpu allocation if a percpu var. */<br /> if (sym[i].st_shndx == info-&gt;index.pcpu)<br /> secbase = (unsigned long)mod_percpu(mod);<br /> else<br /> /** HERE --&gt; **/ secbase = info-&gt;sechdrs[sym[i].st_shndx].sh_addr;<br /> sym[i].st_value += secbase;<br /> break;<br /> }<br /> }<br /> <br /> A symbol with an out-of-bounds st_shndx value, for example 0xffff<br /> (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:<br /> <br /> BUG: unable to handle page fault for address: ...<br /> RIP: 0010:simplify_symbols+0x2b2/0x480<br /> ...<br /> Kernel panic - not syncing: Fatal exception<br /> <br /> This can happen when module ELF is legitimately using SHN_XINDEX or<br /> when it is corrupted.<br /> <br /> Add a bounds check in simplify_symbols() to validate that st_shndx is<br /> within the valid range before using it.<br /> <br /> This issue was discovered due to a bug in llvm-objcopy, see relevant<br /> discussion for details [1].<br /> <br /> [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: apple: avoid memory leak in apple_report_fixup()<br /> <br /> The apple_report_fixup() function was returning a<br /> newly kmemdup()-allocated buffer, but never freeing it.<br /> <br /> The caller of report_fixup() does not take ownership of the returned<br /> pointer, but it *is* permitted to return a sub-portion of the input<br /> rdesc, whose lifetime is managed by the caller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create<br /> <br /> We have recently observed a number of subvolumes with broken dentries.<br /> ls-ing the parent dir looks like:<br /> <br /> drwxrwxrwt 1 root root 16 Jan 23 16:49 .<br /> drwxr-xr-x 1 root root 24 Jan 23 16:48 ..<br /> d????????? ? ? ? ? ? broken_subvol<br /> <br /> and similarly stat-ing the file fails.<br /> <br /> In this state, deleting the subvol fails with ENOENT, but attempting to<br /> create a new file or subvol over it errors out with EEXIST and even<br /> aborts the fs. Which leaves us a bit stuck.<br /> <br /> dmesg contains a single notable error message reading:<br /> "could not do orphan cleanup -2"<br /> <br /> 2 is ENOENT and the error comes from the failure handling path of<br /> btrfs_orphan_cleanup(), with the stack leading back up to<br /> btrfs_lookup().<br /> <br /> btrfs_lookup<br /> btrfs_lookup_dentry<br /> btrfs_orphan_cleanup // prints that message and returns -ENOENT<br /> <br /> After some detailed inspection of the internal state, it became clear<br /> that:<br /> - there are no orphan items for the subvol<br /> - the subvol is otherwise healthy looking, it is not half-deleted or<br /> anything, there is no drop progress, etc.<br /> - the subvol was created a while ago and does the meaningful first<br /> btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much<br /> later.<br /> - after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,<br /> which results in a negative dentry for the subvolume via<br /> d_splice_alias(NULL, dentry), leading to the observed behavior. The<br /> bug can be mitigated by dropping the dentry cache, at which point we<br /> can successfully delete the subvolume if we want.<br /> <br /> i.e.,<br /> btrfs_lookup()<br /> btrfs_lookup_dentry()<br /> if (!sb_rdonly(inode-&gt;vfs_inode)-&gt;vfs_inode)<br /> btrfs_orphan_cleanup(sub_root)<br /> test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)<br /> btrfs_search_slot() // finds orphan item for inode N<br /> ...<br /> prints "could not do orphan cleanup -2"<br /> if (inode == ERR_PTR(-ENOENT))<br /> inode = NULL;<br /> return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume<br /> <br /> btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)<br /> on the root when it runs, so it cannot run more than once on a given<br /> root, so something else must run concurrently. However, the obvious<br /> routes to deleting an orphan when nlinks goes to 0 should not be able to<br /> run without first doing a lookup into the subvolume, which should run<br /> btrfs_orphan_cleanup() and set the bit.<br /> <br /> The final important observation is that create_subvol() calls<br /> d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if<br /> the dentry cache gets dropped, the next lookup into the subvolume will<br /> make a real call into btrfs_orphan_cleanup() for the first time. This<br /> opens up the possibility of concurrently deleting the inode/orphan items<br /> but most typical evict() paths will be holding a reference on the parent<br /> dentry (child dentry holds parent-&gt;d_lockref.count via dget in<br /> d_alloc(), released in __dentry_kill()) and prevent the parent from<br /> being removed from the dentry cache.<br /> <br /> The one exception is delayed iputs. Ordered extent creation calls<br /> igrab() on the inode. If the file is unlinked and closed while those<br /> refs are held, iput() in __dentry_kill() decrements i_count but does<br /> not trigger eviction (i_count &gt; 0). The child dentry is freed and the<br /> subvol dentry&amp;#39;s d_lockref.count drops to 0, making it evictable while<br /> the inode is still alive.<br /> <br /> Since there are two races (the race between writeback and unlink and<br /> the race between lookup and delayed iputs), and there are too many moving<br /> parts, the following three diagrams show the complete picture.<br /> (Only the second and third are races)<br /> <br /> Phase 1:<br /> Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set<br /> <br /> btrfs_mksubvol()<br /> lookup_one_len()<br /> __lookup_slow()<br /> d_alloc_parallel()<br /> __d_alloc() // d_lockref.count = 1<br /> create_subvol(dentry)<br /> // doesn&amp;#39;t touch the bit..<br /> d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb<br /> <br /> Before using sk pointer, check if it is null.<br /> <br /> Fix the following:<br /> <br /> KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]<br /> CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025<br /> Workqueue: events l2cap_info_timeout<br /> RIP: 0010:kasan_byte_accessible+0x12/0x30<br /> Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df b6 04 07 3c 08 0f 92 c0 c3 cc cce<br /> veth0_macvtap: entered promiscuous mode<br /> RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202<br /> RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001<br /> RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000<br /> R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000<br /> R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001<br /> FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> __kasan_check_byte+0x12/0x40<br /> lock_acquire+0x79/0x2e0<br /> lock_sock_nested+0x48/0x100<br /> ? l2cap_sock_ready_cb+0x46/0x160<br /> l2cap_sock_ready_cb+0x46/0x160<br /> l2cap_conn_start+0x779/0xff0<br /> ? __pfx_l2cap_conn_start+0x10/0x10<br /> ? l2cap_info_timeout+0x60/0xa0<br /> ? __pfx___mutex_lock+0x10/0x10<br /> l2cap_info_timeout+0x68/0xa0<br /> ? process_scheduled_works+0xa8d/0x18c0<br /> process_scheduled_works+0xb6e/0x18c0<br /> ? __pfx_process_scheduled_works+0x10/0x10<br /> ? assign_work+0x3d5/0x5e0<br /> worker_thread+0xa53/0xfc0<br /> kthread+0x388/0x470<br /> ? __pfx_worker_thread+0x10/0x10<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x51e/0xb90<br /> ? __pfx_ret_from_fork+0x10/0x10<br /> veth1_macvtap: entered promiscuous mode<br /> ? __switch_to+0xc7d/0x1450<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> batman_adv: batadv0: Interface activated: batadv_slave_0<br /> batman_adv: batadv0: Interface activated: batadv_slave_1<br /> netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0<br /> netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0<br /> netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0<br /> netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0<br /> RIP: 0010:kasan_byte_accessible+0x12/0x30<br /> Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df b6 04 07 3c 08 0f 92 c0 c3 cc cce<br /> ieee80211 phy39: Selected rate control algorithm &amp;#39;minstrel_ht&amp;#39;<br /> RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202<br /> RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001<br /> RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000<br /> R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000<br /> R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001<br /> FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0<br /> PKRU: 55555554<br /> Kernel panic - not syncing: Fatal exception

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()<br /> <br /> l2cap_ecred_data_rcv() reads the SDU length field from skb-&gt;data using<br /> get_unaligned_le16() without first verifying that skb contains at least<br /> L2CAP_SDULEN_SIZE (2) bytes. When skb-&gt;len is less than 2, this reads<br /> past the valid data in the skb.<br /> <br /> The ERTM reassembly path correctly calls pskb_may_pull() before reading<br /> the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the<br /> same validation to the Enhanced Credit Based Flow Control data path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req<br /> <br /> Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()<br /> that is triggered by a malformed Enhanced Credit Based Connection Request.<br /> <br /> The vulnerability stems from l2cap_ecred_conn_req(). The function allocates<br /> a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel<br /> IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more<br /> than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated<br /> `cmd_len` before checking if the number of SCIDs exceeds<br /> L2CAP_ECRED_MAX_CID.<br /> <br /> If the SCID count is too high, the function correctly jumps to the<br /> `response` label to reject the packet, but `rsp_len` retains the<br /> attacker&amp;#39;s oversized value. Consequently, l2cap_send_cmd() is instructed<br /> to read past the end of the 18-byte `pdu` buffer, triggering a<br /> KASAN panic.<br /> <br /> Fix this by moving the assignment of `rsp_len` to after the `num_scid`<br /> boundary check. If the packet is rejected, `rsp_len` will safely<br /> remain 0, and the error response will only read the 8-byte base header<br /> from the stack.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: set fileio bio failed in short read case<br /> <br /> For file-backed mount, IO requests are handled by vfs_iocb_iter_read().<br /> However, it can be interrupted by SIGKILL, returning the number of<br /> bytes actually copied. Unused folios in bio are unexpectedly marked<br /> as uptodate.<br /> <br /> vfs_read<br /> filemap_read<br /> filemap_get_pages<br /> filemap_readahead<br /> erofs_fileio_readahead<br /> erofs_fileio_rq_submit<br /> vfs_iocb_iter_read<br /> filemap_read<br /> filemap_get_pages